Send proxy protocol header before TLS handshake
Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
This commit is contained in:
Romain
GitHub
parent
30b0666219
commit
f9fbcfbb42
28 changed files with 566 additions and 416 deletions
|
|
@ -16,7 +16,7 @@ This registers the `IngressRouteTCP` kind and other Traefik-specific resources.
|
|||
|
||||
You can declare an `IngressRouteTCP` as detailed below:
|
||||
|
||||
```yaml tab="IngressRoute"
|
||||
```yaml tab="IngressRouteTCP"
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: IngressRouteTCP
|
||||
metadata:
|
||||
|
|
@ -36,8 +36,6 @@ spec:
|
|||
- name: foo
|
||||
port: 8080
|
||||
weight: 10
|
||||
proxyProtocol:
|
||||
version: 1
|
||||
serversTransport: transport
|
||||
nativeLB: true
|
||||
nodePortLB: true
|
||||
|
|
@ -59,33 +57,31 @@ spec:
|
|||
|
||||
## Configuration Options
|
||||
|
||||
| Field | Description | Default | Required |
|
||||
|-------------------------------------|-----------------------------|-------------------------------------------|-----------------------|
|
||||
| `entryPoints` | List of entrypoints names. | | No |
|
||||
| `routes` | List of routes. | | Yes |
|
||||
| `routes[n].match` | Defines the [rule](../../../tcp/router/rules-and-priority.md#rules) of the underlying router. | | Yes |
|
||||
| `routes[n].priority` | Defines the [priority](../../../tcp/router/rules-and-priority.md#priority) to disambiguate rules of the same length, for route matching. | | No |
|
||||
| `routes[n].middlewares[n].name` | Defines the [MiddlewareTCP](./middlewaretcp.md) name. | | Yes |
|
||||
| `routes[n].middlewares[n].namespace` | Defines the [MiddlewareTCP](./middlewaretcp.md) namespace. | ""| No|
|
||||
| `routes[n].services` | List of [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) definitions. | | No |
|
||||
| `routes[n].services[n].name` | Defines the name of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). | | Yes |
|
||||
| `routes[n].services[n].port` | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port.| | Yes |
|
||||
| `routes[n].services[n].weight` | Defines the weight to apply to the server load balancing. | 1 | No |
|
||||
| `routes[n].services[n].proxyProtocol` | Defines the [PROXY protocol](../../../../install-configuration/entrypoints.md#proxyprotocol-and-load-balancers) configuration. | | No |
|
||||
| `routes[n].services[n].proxyProtocol.version` | Defines the [PROXY protocol](../../../../install-configuration/entrypoints.md#proxyprotocol-and-load-balancers) version. | | No |
|
||||
| `routes[n].services[n].serversTransport` | Defines the [ServersTransportTCP](./serverstransporttcp.md).<br />The `ServersTransport` namespace is assumed to be the [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) namespace. | | No |
|
||||
| `routes[n].services[n].nativeLB` | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. See [here](#nativelb) for more information. | false | No |
|
||||
| `routes[n].services[n].nodePortLB` | Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is `NodePort`. It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. | false | No |
|
||||
| `tls` | Defines [TLS](../../../../install-configuration/tls/certificate-resolvers/overview.md) certificate configuration. | | No |
|
||||
| `tls.secretName` | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace). | "" | No |
|
||||
| `tls.options` | Defines the reference to a [TLSOption](../http/tlsoption.md). | "" | No |
|
||||
| `tls.options.name` | Defines the [TLSOption](../http/tlsoption.md) name. | "" | No |
|
||||
| `tls.options.namespace` | Defines the [TLSOption](../http/tlsoption.md) namespace. | "" | No |
|
||||
| `tls.certResolver` | Defines the reference to a [CertResolver](../../../../install-configuration/tls/certificate-resolvers/overview.md). | "" | No |
|
||||
| `tls.domains` | List of domains. | "" | No |
|
||||
| `tls.domains[n].main` | Defines the main domain name. | "" | No |
|
||||
| `tls.domains[n].sans` | List of SANs (alternative domains). | "" | No |
|
||||
| `tls.passthrough` | If `true`, delegates the TLS termination to the backend. | false | No |
|
||||
| Field | Description | Default | Required |
|
||||
|-----------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|----------|
|
||||
| `entryPoints` | List of entrypoints names. | | No |
|
||||
| `routes` | List of routes. | | Yes |
|
||||
| `routes[n].match` | Defines the [rule](../../../tcp/router/rules-and-priority.md#rules) of the underlying router. | | Yes |
|
||||
| `routes[n].priority` | Defines the [priority](../../../tcp/router/rules-and-priority.md#priority) to disambiguate rules of the same length, for route matching. | | No |
|
||||
| `routes[n].middlewares[n].name` | Defines the [MiddlewareTCP](./middlewaretcp.md) name. | | Yes |
|
||||
| `routes[n].middlewares[n].namespace` | Defines the [MiddlewareTCP](./middlewaretcp.md) namespace. | "" | No |
|
||||
| `routes[n].services` | List of [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) definitions. | | No |
|
||||
| `routes[n].services[n].name` | Defines the name of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). | | Yes |
|
||||
| `routes[n].services[n].port` | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port. | | Yes |
|
||||
| `routes[n].services[n].weight` | Defines the weight to apply to the server load balancing. | 1 | No |
|
||||
| `routes[n].services[n].serversTransport` | Defines the [ServersTransportTCP](./serverstransporttcp.md).<br />The `ServersTransport` namespace is assumed to be the [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) namespace. | | No |
|
||||
| `routes[n].services[n].nativeLB` | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. See [here](#nativelb) for more information. | false | No |
|
||||
| `routes[n].services[n].nodePortLB` | Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is `NodePort`. It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. | false | No |
|
||||
| `tls` | Defines [TLS](../../../../install-configuration/tls/certificate-resolvers/overview.md) certificate configuration. | | No |
|
||||
| `tls.secretName` | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace). | "" | No |
|
||||
| `tls.options` | Defines the reference to a [TLSOption](../http/tlsoption.md). | "" | No |
|
||||
| `tls.options.name` | Defines the [TLSOption](../http/tlsoption.md) name. | "" | No |
|
||||
| `tls.options.namespace` | Defines the [TLSOption](../http/tlsoption.md) namespace. | "" | No |
|
||||
| `tls.certResolver` | Defines the reference to a [CertResolver](../../../../install-configuration/tls/certificate-resolvers/overview.md). | "" | No |
|
||||
| `tls.domains` | List of domains. | "" | No |
|
||||
| `tls.domains[n].main` | Defines the main domain name. | "" | No |
|
||||
| `tls.domains[n].sans` | List of SANs (alternative domains). | "" | No |
|
||||
| `tls.passthrough` | If `true`, delegates the TLS termination to the backend. | false | No |
|
||||
|
||||
### ExternalName Service
|
||||
|
||||
|
|
|
|||
|
|
@ -29,6 +29,9 @@ metadata:
|
|||
namespace: default
|
||||
|
||||
spec:
|
||||
proxyProtocol:
|
||||
version: 2
|
||||
terminationDelay: 100ms
|
||||
tls:
|
||||
serverName: example.org
|
||||
insecureSkipVerify: true
|
||||
|
|
@ -36,16 +39,18 @@ spec:
|
|||
|
||||
## Configuration Options
|
||||
|
||||
| Field | Description | Default | Required |
|
||||
|-------------------------------------|-----------------------------|-------------------------------------------|-----------------------|
|
||||
| `dialTimeout` | The amount of time to wait until a connection to a server can be established. If zero, no timeout exists. | 30s | No |
|
||||
| `dialKeepAlive` | The interval between keep-alive probes for an active network connection.<br />If this option is set to zero, keep-alive probes are sent with a default value (currently 15 seconds),<br />if supported by the protocol and operating system. Network protocols or operating systems that do not support keep-alives ignore this field.<br />If negative, keep-alive probes are turned off.| 15s | No |
|
||||
| `terminationDelay` | Defines the delay to wait before fully terminating the connection, after one connected peer has closed its writing capability.| 100ms | No |
|
||||
| `tls.serverName` | ServerName used to contact the server. | "" | No |
|
||||
| `tls.insecureSkipVerify` | Controls whether the server's certificate chain and host name is verified. | false | No |
|
||||
| `tls.peerCertURI` | Defines the URI used to match against SAN URIs during the server's certificate verification. | "" | No |
|
||||
| `tls.rootCAsSecrets` | Defines the set of root certificate authorities to use when verifying server certificates.<br />The CA secret must contain a base64 encoded certificate under either a `tls.ca` or a `ca.crt` key.| "" | No |
|
||||
| `tls.certificatesSecrets` | Certificates to present to the server for mTLS.| "" | No |
|
||||
| `spiffe` | Configures [SPIFFE](../../../../install-configuration/tls/spiffe.md) options. | "" | No |
|
||||
| `spiffe.ids` | Defines the allowed SPIFFE IDs. This takes precedence over the SPIFFE `trustDomain`. |""| No |
|
||||
| `spiffe.trustDomain` | Defines the allowed SPIFFE trust domain. | "" | No |
|
||||
| Field | Description | Default | Required |
|
||||
|---------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|----------|
|
||||
| `dialTimeout` | The amount of time to wait until a connection to a server can be established. If zero, no timeout exists. | 30s | No |
|
||||
| `dialKeepAlive` | The interval between keep-alive probes for an active network connection.<br />If this option is set to zero, keep-alive probes are sent with a default value (currently 15 seconds),<br />if supported by the protocol and operating system. Network protocols or operating systems that do not support keep-alives ignore this field.<br />If negative, keep-alive probes are turned off. | 15s | No |
|
||||
| `proxyProtocol` | Defines the Proxy Protocol configuration. An empty `proxyProtocol` section enables Proxy Protocol version 2. | | No |
|
||||
| `proxyProtocol.version` | Traefik supports PROXY Protocol version 1 and 2 on TCP Services. | | No |
|
||||
| `terminationDelay` | Defines the delay to wait before fully terminating the connection, after one connected peer has closed its writing capability. | 100ms | No |
|
||||
| `tls.serverName` | ServerName used to contact the server. | "" | No |
|
||||
| `tls.insecureSkipVerify` | Controls whether the server's certificate chain and host name is verified. | false | No |
|
||||
| `tls.peerCertURI` | Defines the URI used to match against SAN URIs during the server's certificate verification. | "" | No |
|
||||
| `tls.rootCAsSecrets` | Defines the set of root certificate authorities to use when verifying server certificates.<br />The CA secret must contain a base64 encoded certificate under either a `tls.ca` or a `ca.crt` key. | "" | No |
|
||||
| `tls.certificatesSecrets` | Certificates to present to the server for mTLS. | "" | No |
|
||||
| `spiffe` | Configures [SPIFFE](../../../../install-configuration/tls/spiffe.md) options. | "" | No |
|
||||
| `spiffe.ids` | Defines the allowed SPIFFE IDs. This takes precedence over the SPIFFE `trustDomain`. | "" | No |
|
||||
| `spiffe.trustDomain` | Defines the allowed SPIFFE trust domain. | "" | No |
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue