homelab/traefik
1
0
Fork 0
Code Activity

New API security

Browse source
This commit is contained in:
Julien Salleyron 2019-09-06 15:08:04 +02:00 committed by Traefiker Bot
parent 1959e1fd44
commit d044c0f4cc
90 changed files with 538 additions and 132 deletions
Download patch file Download diff file Expand all files Collapse all files

1
integration/fixtures/access_log_config.toml
View file

@ -22,6 +22,7 @@
address = ":8008"
[api]
insecure = true
[providers]
[providers.docker]

1
integration/fixtures/acme/acme_base.toml
View file

@ -31,6 +31,7 @@
{{end}}
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/acme/acme_domains.toml
View file

@ -31,6 +31,7 @@
{{end}}
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/acme/acme_multiple_resolvers.toml
View file

@ -31,6 +31,7 @@
{{end}}
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/acme/acme_tcp.toml
View file

@ -31,6 +31,7 @@
{{end}}
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/acme/acme_tls.toml
View file

@ -31,6 +31,7 @@
{{end}}
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/acme/acme_tls_dynamic.toml
View file

@ -31,6 +31,7 @@
{{end}}
[api]
insecure = true
[providers]
[providers.file]

1
integration/fixtures/acme/acme_tls_multiple_entrypoints.toml
View file

@ -34,3 +34,4 @@
{{end}}
[api]
insecure = true

1
integration/fixtures/docker/minimal.toml
View file

@ -10,6 +10,7 @@
address = ":8000"
[api]
insecure = true
[providers]
[providers.docker]

1
integration/fixtures/docker/simple.toml
View file

@ -10,6 +10,7 @@
address = ":8000"
[api]
insecure = true
[providers]
[providers.docker]

1
integration/fixtures/grpc/config.toml
View file

@ -13,6 +13,7 @@
address = ":4443"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/grpc/config_h2c.toml
View file

@ -10,6 +10,7 @@
address = ":8081"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/grpc/config_h2c_termination.toml
View file

@ -10,6 +10,7 @@
address = ":4443"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/grpc/config_insecure.toml
View file

@ -13,6 +13,7 @@
address = ":4443"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/grpc/config_retry.toml
View file

@ -13,6 +13,7 @@
address = ":4443"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/healthcheck/multiple-entrypoints.toml
View file

@ -12,6 +12,7 @@
address = ":9000"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/healthcheck/port_overload.toml
View file

@ -10,6 +10,7 @@
address = ":8000"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/healthcheck/simple.toml
View file

@ -10,6 +10,7 @@
address = ":8000"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/https/clientca/https_1ca1config.toml
View file

@ -10,6 +10,7 @@
address = ":4443"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/https/clientca/https_2ca1config.toml
View file

@ -10,6 +10,7 @@
address = ":4443"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/https/clientca/https_2ca2config.toml
View file

@ -10,6 +10,7 @@
address = ":4443"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/https/dynamic_https_sni.toml
View file

@ -13,6 +13,7 @@
address = ":8443"
[api]
insecure = true
[providers]
[providers.file]

1
integration/fixtures/https/dynamic_https_sni_default_cert.toml
View file

@ -10,6 +10,7 @@
address = ":4443"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/https/https_redirect.toml
View file

@ -13,6 +13,7 @@
address = ":8443"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/https/https_sni.toml
View file

@ -10,6 +10,7 @@
address = ":4443"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/https/https_sni_case_insensitive_dynamic.toml
View file

@ -10,6 +10,7 @@
address = ":4443"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/https/https_sni_default_cert.toml
View file

@ -10,6 +10,7 @@
address = ":4443"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/https/https_sni_strict.toml
View file

@ -10,6 +10,7 @@
address = ":4443"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/https/https_tls_options.toml
View file

@ -10,6 +10,7 @@
address = ":4443"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/https/rootcas/https.toml
View file

@ -29,6 +29,7 @@ fblo6RBxUQ==
address = ":8081"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/https/rootcas/https_with_file.toml
View file

@ -14,6 +14,7 @@
address = ":8081"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/k8s_crd.toml
View file

@ -6,6 +6,7 @@
level = "DEBUG"
[api]
insecure = true
[entryPoints]
[entryPoints.footcp]

1
integration/fixtures/k8s_default.toml
View file

@ -3,6 +3,7 @@
sendAnonymousUsage = false
[api]
insecure = true
[log]
level = "DEBUG"

1
integration/fixtures/marathon/simple.toml
View file

@ -12,6 +12,7 @@
address = ":9090"
[api]
insecure = true
[providers]
[providers.marathon]

1
integration/fixtures/mirror.toml
View file

@ -3,6 +3,7 @@
sendAnonymousUsage = false
[api]
insecure = true
[log]
level = "DEBUG"

1
integration/fixtures/multiple_provider.toml
View file

@ -10,6 +10,7 @@
address = ":8000"
[api]
insecure = true
[providers]
[providers.docker]

2
integration/fixtures/multiprovider.toml
View file

@ -6,6 +6,7 @@
level = "DEBUG"
[api]
insecure = true
[entryPoints]
[entryPoints.web]
@ -13,6 +14,7 @@
[providers]
[providers.rest]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/proxy-protocol/with.toml
View file

@ -12,6 +12,7 @@
trustedIPs = ["{{.HaproxyIP}}"]
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/proxy-protocol/without.toml
View file

@ -12,6 +12,7 @@
trustedIPs = ["1.2.3.4"]
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/ratelimit/simple.toml
View file

@ -3,6 +3,7 @@
sendAnonymousUsage = false
[api]
insecure = true
[log]
level = "DEBUG"

2
integration/fixtures/rest/simple.toml
View file

@ -10,6 +10,8 @@
address = ":8000"
[api]
insecure = true
[providers]
[providers.rest]
insecure = true

27
integration/fixtures/rest/simple_secure.toml Normal file
View file

@ -0,0 +1,27 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = ":8000"
[api]
insecure = true
[providers.rest]
[providers.file]
filename = "{{ .SelfFilename }}"
[http.routers.rest]
rule="PathPrefix(`/secure`)"
service="rest@internal"
middlewares=["strip"]
[http.middlewares.strip.stripPrefix]
prefixes = [ "/secure" ]

1
integration/fixtures/retry/simple.toml
View file

@ -10,6 +10,7 @@
address = ":8000"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/router_errors.toml
View file

@ -10,6 +10,7 @@
address = ":4443"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/service_errors.toml
View file

@ -10,6 +10,7 @@
address = ":4443"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/simple_auth.toml
View file

@ -13,6 +13,7 @@
address = ":8001"
[api]
insecure = true
middlewares = ["authentication@file"]
[ping]

1
integration/fixtures/simple_hostresolver.toml
View file

@ -10,6 +10,7 @@
address = ":8000"
[api]
insecure = true
[providers]
[providers.docker]

25
integration/fixtures/simple_secure_api.toml Normal file
View file

@ -0,0 +1,25 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
[entryPoints]
[entryPoints.web]
address = ":8000"
[entryPoints.traefik]
address = ":8080"
[api]
[providers.file]
filename = "{{ .SelfFilename }}"
[http.routers.api]
rule="PathPrefix(`/secure`)"
service="api@internal"
middlewares=["strip"]
[http.middlewares.strip.stripPrefix]
prefixes = [ "/secure" ]

1
integration/fixtures/simple_stats.toml
View file

@ -10,6 +10,7 @@
address = ":8000"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/simple_web.toml
View file

@ -10,3 +10,4 @@
address = ":8000"
[api]
insecure = true

3
integration/fixtures/simple_whitelist.toml
View file

@ -9,9 +9,10 @@
[entryPoints.web]
address = ":8000"
[entryPoints.web.ForwardedHeaders]
insecure=true
insecure = true
[api]
insecure = true
[providers]
[providers.docker]

1
integration/fixtures/tcp/catch-all-no-tls-with-https.toml
View file

@ -10,6 +10,7 @@
address = ":8093"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/tcp/catch-all-no-tls.toml
View file

@ -10,6 +10,7 @@
address = ":8093"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/tcp/mixed.toml
View file

@ -10,6 +10,7 @@
address = ":8093"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/tcp/multi-tls-options.toml
View file

@ -10,6 +10,7 @@
address = ":8093"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/tcp/non-tls-fallback.toml
View file

@ -10,6 +10,7 @@
address = ":8093"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/tcp/non-tls.toml
View file

@ -10,6 +10,7 @@
address = ":8093"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/timeout/forwarding_timeouts.toml
View file

@ -17,6 +17,7 @@
format = "json"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/timeout/keepalive.toml
View file

@ -13,6 +13,7 @@
address = ":8000"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/tlsclientheaders/simple.toml
View file

@ -13,6 +13,7 @@
address = ":8443"
[api]
insecure = true
[providers]
[providers.docker]

1
integration/fixtures/tracing/simple-jaeger-collector.toml
View file

@ -6,6 +6,7 @@
level = "DEBUG"
[api]
insecure = true
[entryPoints]
[entryPoints.web]

1
integration/fixtures/tracing/simple-jaeger.toml
View file

@ -6,6 +6,7 @@
level = "DEBUG"
[api]
insecure = true
[entryPoints]
[entryPoints.web]

1
integration/fixtures/tracing/simple-zipkin.toml
View file

@ -6,6 +6,7 @@
level = "DEBUG"
[api]
insecure = true
[entryPoints]
[entryPoints.web]

1
integration/fixtures/traefik_log_config.toml
View file

@ -14,6 +14,7 @@
address = ":8000"
[api]
insecure = true
dashboard = false
[providers]

1
integration/fixtures/websocket/config.toml
View file

@ -10,6 +10,7 @@
address = ":8000"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/websocket/config_https.toml
View file

@ -13,6 +13,7 @@
address = ":8000"
[api]
insecure = true
[providers.file]
filename = "{{ .SelfFilename }}"

1
integration/fixtures/wrr.toml
View file

@ -3,6 +3,7 @@
sendAnonymousUsage = false
[api]
insecure = true
[log]
level = "DEBUG"

1
integration/fixtures/wrr_sticky.toml
View file

@ -3,6 +3,7 @@
sendAnonymousUsage = false
[api]
insecure = true
[log]
level = "DEBUG"

108
integration/rest_test.go
View file

@ -4,6 +4,8 @@ import (
"bytes"
"encoding/json"
"net/http"
"os"
"strings"
"time"
"github.com/containous/traefik/v2/integration/try"
@ -20,7 +22,7 @@ func (s *RestSuite) SetUpSuite(c *check.C) {
s.composeProject.Start(c)
}
func (s *RestSuite) TestSimpleConfiguration(c *check.C) {
func (s *RestSuite) TestSimpleConfigurationInsecure(c *check.C) {
cmd, display := s.traefikCmd(withConfigFile("fixtures/rest/simple.toml"))
defer display(c)
@ -110,3 +112,107 @@ func (s *RestSuite) TestSimpleConfiguration(c *check.C) {
c.Assert(err, checker.IsNil)
}
}
func (s *RestSuite) TestSimpleConfiguration(c *check.C) {
file := s.adaptFile(c, "fixtures/rest/simple_secure.toml", struct{}{})
defer os.Remove(file)
cmd, display := s.traefikCmd(withConfigFile(file))
defer display(c)
err := cmd.Start()
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
// Expected a 404 as we did not configure anything.
err = try.GetRequest("http://127.0.0.1:8000/", 1000*time.Millisecond, try.StatusCodeIs(http.StatusNotFound))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 2000*time.Millisecond, try.BodyContains("PathPrefix(`/secure`)"))
c.Assert(err, checker.IsNil)
request, err := http.NewRequest(http.MethodPut, "http://127.0.0.1:8080/api/providers/rest", strings.NewReader("{}"))
c.Assert(err, checker.IsNil)
response, err := http.DefaultClient.Do(request)
c.Assert(err, checker.IsNil)
c.Assert(response.StatusCode, checker.Equals, http.StatusNotFound)
testCase := []struct {
desc string
config *dynamic.Configuration
ruleMatch string
}{
{
desc: "deploy http configuration",
config: &dynamic.Configuration{
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{
"router1": {
EntryPoints: []string{"web"},
Middlewares: []string{},
Service: "service1",
Rule: "PathPrefix(`/`)",
},
},
Services: map[string]*dynamic.Service{
"service1": {
LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: []dynamic.Server{
{
URL: "http://" + s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress + ":80",
},
},
},
},
},
},
},
ruleMatch: "PathPrefix(`/`)",
},
{
desc: "deploy tcp configuration",
config: &dynamic.Configuration{
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{
"router1": {
EntryPoints: []string{"web"},
Service: "service1",
Rule: "HostSNI(`*`)",
},
},
Services: map[string]*dynamic.TCPService{
"service1": {
LoadBalancer: &dynamic.TCPLoadBalancerService{
Servers: []dynamic.TCPServer{
{
Address: s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress + ":80",
},
},
},
},
},
},
},
ruleMatch: "HostSNI(`*`)",
},
}
for _, test := range testCase {
json, err := json.Marshal(test.config)
c.Assert(err, checker.IsNil)
request, err := http.NewRequest(http.MethodPut, "http://127.0.0.1:8000/secure/api/providers/rest", bytes.NewReader(json))
c.Assert(err, checker.IsNil)
response, err := http.DefaultClient.Do(request)
c.Assert(err, checker.IsNil)
c.Assert(response.StatusCode, checker.Equals, http.StatusOK)
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1000*time.Millisecond, try.BodyContains(test.ruleMatch))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8000/", 1000*time.Millisecond, try.StatusCodeIs(http.StatusOK))
c.Assert(err, checker.IsNil)
}
}

57
integration/simple_test.go
View file

@ -161,33 +161,6 @@ func (s *SimpleSuite) TestRequestAcceptGraceTimeout(c *check.C) {
}
}
func (s *SimpleSuite) TestApiOnSameEntryPoint(c *check.C) {
c.Skip("Waiting for new api handler implementation")
s.createComposeProject(c, "base")
s.composeProject.Start(c)
cmd, output := s.traefikCmd("--entryPoints.http.Address=:8000", "--api.entryPoint=http", "--log.level=DEBUG", "--providers.docker")
defer output(c)
err := cmd.Start()
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
// TODO validate : run on 80
// Expected a 404 as we did not configure anything
err = try.GetRequest("http://127.0.0.1:8000/test", 1*time.Second, try.StatusCodeIs(http.StatusNotFound))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8000/api/rawdata", 1*time.Second, try.StatusCodeIs(http.StatusOK))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8000/api/rawdata", 1*time.Second, try.BodyContains("PathPrefix"))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8000/whoami", 1*time.Second, try.StatusCodeIs(http.StatusOK))
c.Assert(err, checker.IsNil)
}
func (s *SimpleSuite) TestStatsWithMultipleEntryPoint(c *check.C) {
c.Skip("Stats is missing")
s.createComposeProject(c, "stats")
@ -250,7 +223,7 @@ func (s *SimpleSuite) TestDefaultEntryPointHTTP(c *check.C) {
s.createComposeProject(c, "base")
s.composeProject.Start(c)
cmd, output := s.traefikCmd("--entryPoints.http.Address=:8000", "--log.level=DEBUG", "--providers.docker", "--api")
cmd, output := s.traefikCmd("--entryPoints.http.Address=:8000", "--log.level=DEBUG", "--providers.docker", "--api.insecure")
defer output(c)
err := cmd.Start()
@ -268,7 +241,7 @@ func (s *SimpleSuite) TestWithNonExistingEntryPoint(c *check.C) {
s.createComposeProject(c, "base")
s.composeProject.Start(c)
cmd, output := s.traefikCmd("--entryPoints.http.Address=:8000", "--log.level=DEBUG", "--providers.docker", "--api")
cmd, output := s.traefikCmd("--entryPoints.http.Address=:8000", "--log.level=DEBUG", "--providers.docker", "--api.insecure")
defer output(c)
err := cmd.Start()
@ -286,7 +259,7 @@ func (s *SimpleSuite) TestMetricsPrometheusDefaultEntryPoint(c *check.C) {
s.createComposeProject(c, "base")
s.composeProject.Start(c)
cmd, output := s.traefikCmd("--entryPoints.http.Address=:8000", "--api", "--metrics.prometheus.buckets=0.1,0.3,1.2,5.0", "--providers.docker", "--log.level=DEBUG")
cmd, output := s.traefikCmd("--entryPoints.http.Address=:8000", "--api.insecure", "--metrics.prometheus.buckets=0.1,0.3,1.2,5.0", "--providers.docker", "--log.level=DEBUG")
defer output(c)
err := cmd.Start()
@ -785,3 +758,27 @@ func (s *SimpleSuite) TestMirrorCanceled(c *check.C) {
c.Assert(val1, checker.Equals, int32(0))
c.Assert(val2, checker.Equals, int32(0))
}
func (s *SimpleSuite) TestSecureAPI(c *check.C) {
s.createComposeProject(c, "base")
s.composeProject.Start(c)
file := s.adaptFile(c, "./fixtures/simple_secure_api.toml", struct{}{})
defer os.Remove(file)
cmd, output := s.traefikCmd(withConfigFile(file))
defer output(c)
err := cmd.Start()
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
err = try.GetRequest("http://127.0.0.1:8000/secure/api/rawdata", 1*time.Second, try.StatusCodeIs(http.StatusOK))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8000/api/rawdata", 1*time.Second, try.StatusCodeIs(http.StatusNotFound))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.StatusCodeIs(http.StatusNotFound))
c.Assert(err, checker.IsNil)
}