New API security

2019-09-06 15:08:04 +02:00 · 2019-09-06 15:08:04 +02:00 · d044c0f4cc
commit d044c0f4cc
parent 1959e1fd44
90 changed files with 538 additions and 132 deletions
--- a/docs/content/observability/metrics/prometheus.md
+++ b/docs/content/observability/metrics/prometheus.md
@ -85,3 +85,34 @@ metrics:
 ```bash tab="CLI"
 --metrics.prometheus.addServicesLabels=true
 ```
+
+#### `entryPoint`
+
+_Optional, Default=traefik_
+
+Entry point used to expose metrics.
+
+```toml tab="File (TOML)"
+[entryPoints]
+  [entryPoints.metrics]
+    address = ":8082"
+
+[metrics]
+  [metrics.prometheus]
+    entryPoint = "metrics"
+```
+
+```yaml tab="File (YAML)"
+entryPoints:
+  metrics:
+    address: ":8082"
+
+metrics:
+  prometheus:
+    entryPoint: metrics
+```
+
+```bash tab="CLI"
+--entryPoints.metrics.address=":8082"
+--metrics.prometheus..entryPoint="metrics"
+```
--- a/docs/content/operations/api.md
+++ b/docs/content/operations/api.md
@ -1,8 +1,5 @@
 # API

-!!! important
-    In the RC version, you can't configure middlewares (basic authentication or white listing) anymore, but as security is important, this will change before the GA version.
-
 Traefik exposes a number of information through an API handler, such as the configuration of all routers, services, middlewares, etc.

 As with all features of Traefik, this handler can be enabled with the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
@ -22,11 +19,10 @@ would be to apply the following protection mechanisms:
  keeping it restricted to internal networks
  (as in the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege), applied to networks).

-!!! important
-    In the beta version, you can't configure middlewares (basic authentication or white listing) anymore, but as security is important, this will change before the RC version.
-
 ## Configuration

+If you enable the API, a new special `service` named `api@internal` is created and then can be reference in a router.
+
 To enable the API handler:

 ```toml tab="File (TOML)"
@ -41,6 +37,83 @@ api: {}
 --api=true
 ```

+And then you will able to reference it like this.
+
+```yaml tab="Docker"
+  - "traefik.http.routers.api.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
+  - "traefik.http.routers.api.service=api@internal"
+  - "traefik.http.routers.api.middlewares=auth"
+  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.routers.api.rule": "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
+  "traefik.http.routers.api.service": "api@internal"
+  "traefik.http.routers.api.middlewares": "auth"
+  "traefik.http.middlewares.auth.basicauth.users": "test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+}
+```
+
+```yaml tab="Rancher"
+# Declaring the user list
+labels:
+  - "traefik.http.routers.api.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
+    - "traefik.http.routers.api.service=api@internal"
+    - "traefik.http.routers.api.middlewares=auth"
+    - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```toml tab="File (TOML)"
+[http.routers.my-api]
+    rule="PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
+    service="api@internal"
+    middlewares=["auth"]
+
+[http.middlewares.auth.basicAuth]
+    users = [
+        "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
+        "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+      ]
+```
+
+```yaml tab="File (YAML)"
+http:
+  routers:
+    api:
+      rule: PathPrefix(`/api`) || PathPrefix(`/dashboard`)
+      service: api@internal
+      middlewares:
+        - auth
+  middlewares:
+    auth:
+      basicAuth:
+        users:
+        - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" 
+        - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
+### `insecure`
+
+Enable the API in `insecure` mode, which means that the API will be available directly on the entryPoint named `traefik`.
+
+!!! Note
+    If the entryPoint named `traefik` is not configured, it will be automatically created on port 8080.
+
+```toml tab="File (TOML)"
+[api]
+  insecure = true
+```
+
+```yaml tab="File (YAML)"
+api:
+  insecure: true
+```
+
+```bash tab="CLI"
+--api.insecure=true
+```
+
 ### `dashboard`

 _Optional, Default=true_
--- a/docs/content/operations/ping.md
+++ b/docs/content/operations/ping.md
@ -5,7 +5,7 @@ Checking the Health of Your Traefik Instances

 ## Configuration Examples

-??? example "Enabling /ping"
+!!! example "Enabling /ping"

 ```toml tab="File (TOML)"
 [ping]
@ -19,10 +19,39 @@ ping: {}
 --ping=true
 ```

+## Configuration Options
+
+The `/ping` health-check URL is enabled with the command-line `--ping` or config file option `[ping]`.
+
+You can customize the `entryPoint` where the `/ping` is active with the `entryPoint` option (default value: `traefik`)
+
 | Path    | Method        | Description                                                                                         |
 |---------|---------------|-----------------------------------------------------------------------------------------------------|
 | `/ping` | `GET`, `HEAD` | A simple endpoint to check for Traefik process liveness. Return a code `200` with the content: `OK` |

-## Configuration Options
+### `entryPoint`

-The `/ping` health-check URL is enabled with the command-line `--ping` or config file option `[ping]`.
+Enabling /ping on a dedicated EntryPoint.
+
+```toml tab="File (TOML)"
+[entryPoints]
+  [entryPoints.ping]
+    address = ":8082"
+
+[ping]
+  entryPoint = "ping"
+```
+
+```yaml tab="File (YAML)"
+entryPoints:
+  ping:
+    address: ":8082"
+
+ping:
+  entryPoint: "ping"
+```
+
+```bash tab="CLI"
+--entryPoints.ping.address=":8082"
+--ping.entryPoint="ping"
+```
--- a/docs/content/reference/static-configuration/cli-ref.md
+++ b/docs/content/reference/static-configuration/cli-ref.md
@ -45,6 +45,9 @@ Activate dashboard. (Default: ```true```)
 `--api.debug`:  
 Enable additional endpoints for debugging and profiling. (Default: ```false```)

+`--api.insecure`:  
+Activate API on an insecure entryPoints named traefik. (Default: ```false```)
+
 `--certificatesresolvers.<name>`:  
 Certificates resolvers configuration. (Default: ```false```)

@ -207,6 +210,9 @@ Enable metrics on services. (Default: ```true```)
 `--metrics.prometheus.buckets`:  
 Buckets for latency metrics. (Default: ```0.100000, 0.300000, 1.200000, 5.000000```)

+`--metrics.prometheus.entrypoint`:  
+EntryPoint (Default: ```traefik```)
+
 `--metrics.statsd`:  
 StatsD metrics exporter type. (Default: ```false```)

@ -223,7 +229,10 @@ Enable metrics on services. (Default: ```true```)
 StatsD push interval. (Default: ```10```)

 `--ping`:  
-Enable ping. (Default: ```true```)
+Enable ping. (Default: ```false```)
+
+`--ping.entrypoint`:  
+EntryPoint (Default: ```traefik```)

 `--providers.docker`:  
 Enable Docker backend with default settings. (Default: ```false```)
@ -433,7 +442,10 @@ Defines the polling interval in seconds. (Default: ```15```)
 Watch provider. (Default: ```true```)

 `--providers.rest`:  
-Enable Rest backend with default settings. (Default: ```true```)
+Enable Rest backend with default settings. (Default: ```false```)
+
+`--providers.rest.insecure`:  
+Activate REST Provider on an insecure entryPoints named traefik. (Default: ```false```)

 `--serverstransport.forwardingtimeouts.dialtimeout`:  
 The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. (Default: ```30```)
--- a/docs/content/reference/static-configuration/env-ref.md
+++ b/docs/content/reference/static-configuration/env-ref.md
@ -45,6 +45,9 @@ Activate dashboard. (Default: ```true```)
 `TRAEFIK_API_DEBUG`:  
 Enable additional endpoints for debugging and profiling. (Default: ```false```)

+`TRAEFIK_API_INSECURE`:  
+Activate API on an insecure entryPoints named traefik. (Default: ```false```)
+
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>`:  
 Certificates resolvers configuration. (Default: ```false```)

@ -207,6 +210,9 @@ Enable metrics on services. (Default: ```true```)
 `TRAEFIK_METRICS_PROMETHEUS_BUCKETS`:  
 Buckets for latency metrics. (Default: ```0.100000, 0.300000, 1.200000, 5.000000```)

+`TRAEFIK_METRICS_PROMETHEUS_ENTRYPOINT`:  
+EntryPoint (Default: ```traefik```)
+
 `TRAEFIK_METRICS_STATSD`:  
 StatsD metrics exporter type. (Default: ```false```)

@ -223,7 +229,10 @@ Enable metrics on services. (Default: ```true```)
 StatsD push interval. (Default: ```10```)

 `TRAEFIK_PING`:  
-Enable ping. (Default: ```true```)
+Enable ping. (Default: ```false```)
+
+`TRAEFIK_PING_ENTRYPOINT`:  
+EntryPoint (Default: ```traefik```)

 `TRAEFIK_PROVIDERS_DOCKER`:  
 Enable Docker backend with default settings. (Default: ```false```)
@ -433,7 +442,10 @@ Defines the polling interval in seconds. (Default: ```15```)
 Watch provider. (Default: ```true```)

 `TRAEFIK_PROVIDERS_REST`:  
-Enable Rest backend with default settings. (Default: ```true```)
+Enable Rest backend with default settings. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_REST_INSECURE`:  
+Activate REST Provider on an insecure entryPoints named traefik. (Default: ```false```)

 `TRAEFIK_SERVERSTRANSPORT_FORWARDINGTIMEOUTS_DIALTIMEOUT`:  
 The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. (Default: ```30```)
--- a/docs/content/reference/static-configuration/file.toml
+++ b/docs/content/reference/static-configuration/file.toml
@ -96,6 +96,7 @@
    labelSelector = "foobar"
    ingressClass = "foobar"
  [providers.rest]
+    insecure = true
  [providers.rancher]
    constraints = "foobar"
    watch = true
@ -107,6 +108,7 @@
    prefix = "foobar"

 [api]
+  insecure = true
  dashboard = true
  debug = true

@ -115,6 +117,7 @@
    buckets = [42.0, 42.0]
    addEntryPointsLabels = true
    addServicesLabels = true
+    entryPoint = "foobar"
  [metrics.datadog]
    address = "foobar"
    pushInterval = "10s"
@ -137,6 +140,7 @@
    addServicesLabels = true

 [ping]
+  entryPoint = "foobar"

 [log]
  level = "foobar"
--- a/docs/content/reference/static-configuration/file.yaml
+++ b/docs/content/reference/static-configuration/file.yaml
@ -102,7 +102,8 @@ providers:
    - foobar
    labelSelector: foobar
    ingressClass: foobar
-  rest: {}
+  rest:
+    insecure: true
  rancher:
    constraints: foobar
    watch: true
@ -113,6 +114,7 @@ providers:
    intervalPoll: true
    prefix: foobar
 api:
+  insecure: true
  dashboard: true
  debug: true
 metrics:
@ -122,6 +124,7 @@ metrics:
    - 42
    addEntryPointsLabels: true
    addServicesLabels: true
+    entryPoint: foobar
  datadog:
    address: foobar
    pushInterval: 42
@ -142,7 +145,8 @@ metrics:
    password: foobar
    addEntryPointsLabels: true
    addServicesLabels: true
-ping: {}
+ping:
+  entryPoint: foobar
 log:
  level: foobar
  filePath: foobar