homelab/traefik
1
0
Fork 0
Code Activity

Send proxy protocol header before TLS handshake

Browse source 
Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
This commit is contained in:
Romain 2025-08-29 12:30:04 +02:00 committed by GitHub
parent 30b0666219
commit f9fbcfbb42
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
28 changed files with 566 additions and 416 deletions
Download patch file Download diff file Expand all files Collapse all files

31
docs/content/reference/routing-configuration/kubernetes/crd/tcp/serverstransporttcp.md
View file

@ -29,6 +29,9 @@ metadata:
namespace: default
spec:
proxyProtocol:
version: 2
terminationDelay: 100ms
tls:
serverName: example.org
insecureSkipVerify: true
@ -36,16 +39,18 @@ spec:
## Configuration Options
| Field | Description | Default | Required |
|-------------------------------------|-----------------------------|-------------------------------------------|-----------------------|
| `dialTimeout` | The amount of time to wait until a connection to a server can be established. If zero, no timeout exists. | 30s | No |
| `dialKeepAlive` | The interval between keep-alive probes for an active network connection.<br />If this option is set to zero, keep-alive probes are sent with a default value (currently 15 seconds),<br />if supported by the protocol and operating system. Network protocols or operating systems that do not support keep-alives ignore this field.<br />If negative, keep-alive probes are turned off.| 15s | No |
| `terminationDelay` | Defines the delay to wait before fully terminating the connection, after one connected peer has closed its writing capability.| 100ms | No |
| `tls.serverName` | ServerName used to contact the server. | "" | No |
| `tls.insecureSkipVerify` | Controls whether the server's certificate chain and host name is verified. | false | No |
| `tls.peerCertURI` | Defines the URI used to match against SAN URIs during the server's certificate verification. | "" | No |
| `tls.rootCAsSecrets` | Defines the set of root certificate authorities to use when verifying server certificates.<br />The CA secret must contain a base64 encoded certificate under either a `tls.ca` or a `ca.crt` key.| "" | No |
| `tls.certificatesSecrets` | Certificates to present to the server for mTLS.| "" | No |
| `spiffe` | Configures [SPIFFE](../../../../install-configuration/tls/spiffe.md) options. | "" | No |
| `spiffe.ids` | Defines the allowed SPIFFE IDs. This takes precedence over the SPIFFE `trustDomain`. |""| No |
| `spiffe.trustDomain` | Defines the allowed SPIFFE trust domain. | "" | No |
| Field | Description | Default | Required |
|---------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|----------|
| `dialTimeout` | The amount of time to wait until a connection to a server can be established. If zero, no timeout exists. | 30s | No |
| `dialKeepAlive` | The interval between keep-alive probes for an active network connection.<br />If this option is set to zero, keep-alive probes are sent with a default value (currently 15 seconds),<br />if supported by the protocol and operating system. Network protocols or operating systems that do not support keep-alives ignore this field.<br />If negative, keep-alive probes are turned off. | 15s | No |
| `proxyProtocol` | Defines the Proxy Protocol configuration. An empty `proxyProtocol` section enables Proxy Protocol version 2. | | No |
| `proxyProtocol.version` | Traefik supports PROXY Protocol version 1 and 2 on TCP Services. | | No |
| `terminationDelay` | Defines the delay to wait before fully terminating the connection, after one connected peer has closed its writing capability. | 100ms | No |
| `tls.serverName` | ServerName used to contact the server. | "" | No |
| `tls.insecureSkipVerify` | Controls whether the server's certificate chain and host name is verified. | false | No |
| `tls.peerCertURI` | Defines the URI used to match against SAN URIs during the server's certificate verification. | "" | No |
| `tls.rootCAsSecrets` | Defines the set of root certificate authorities to use when verifying server certificates.<br />The CA secret must contain a base64 encoded certificate under either a `tls.ca` or a `ca.crt` key. | "" | No |
| `tls.certificatesSecrets` | Certificates to present to the server for mTLS. | "" | No |
| `spiffe` | Configures [SPIFFE](../../../../install-configuration/tls/spiffe.md) options. | "" | No |
| `spiffe.ids` | Defines the allowed SPIFFE IDs. This takes precedence over the SPIFFE `trustDomain`. | "" | No |
| `spiffe.trustDomain` | Defines the allowed SPIFFE trust domain. | "" | No |