homelab/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add TCP Middlewares support

Browse source
This commit is contained in:
Romain 2021-06-11 15:30:05 +02:00 committed by GitHub
parent 679def0151
commit fc9f41b955
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
134 changed files with 5865 additions and 1852 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/content/middlewares/addprefix.md → docs/content/middlewares/http/addprefix.md
View file

@ -3,7 +3,7 @@
Prefixing the Path
{: .subtitle }
![AddPrefix](../assets/img/middleware/addprefix.png)
![AddPrefix](../../assets/img/middleware/addprefix.png)
The AddPrefix middleware updates the path of a request before forwarding it.

2
docs/content/middlewares/basicauth.md → docs/content/middlewares/http/basicauth.md
View file

@ -3,7 +3,7 @@
Adding Basic Authentication
{: .subtitle }
![BasicAuth](../assets/img/middleware/basicauth.png)
![BasicAuth](../../assets/img/middleware/basicauth.png)
The BasicAuth middleware restricts access to your services to known users.

2
docs/content/middlewares/buffering.md → docs/content/middlewares/http/buffering.md
View file

@ -3,7 +3,7 @@
How to Read the Request before Forwarding It
{: .subtitle }
![Buffering](../assets/img/middleware/buffering.png)
![Buffering](../../assets/img/middleware/buffering.png)
The Buffering middleware limits the size of requests that can be forwarded to services.

2
docs/content/middlewares/chain.md → docs/content/middlewares/http/chain.md
View file

@ -3,7 +3,7 @@
When One Isn't Enough
{: .subtitle }
![Chain](../assets/img/middleware/chain.png)
![Chain](../../assets/img/middleware/chain.png)
The Chain middleware enables you to define reusable combinations of other pieces of middleware.
It makes reusing the same groups easier.

2
docs/content/middlewares/circuitbreaker.md → docs/content/middlewares/http/circuitbreaker.md
View file

@ -3,7 +3,7 @@
Don't Waste Time Calling Unhealthy Services
{: .subtitle }
![CircuitBreaker](../assets/img/middleware/circuitbreaker.png)
![CircuitBreaker](../../assets/img/middleware/circuitbreaker.png)
The circuit breaker protects your system from stacking requests to unhealthy services, resulting in cascading failures.

2
docs/content/middlewares/compress.md → docs/content/middlewares/http/compress.md
View file

@ -3,7 +3,7 @@
Compress Responses before Sending them to the Client
{: .subtitle }
![Compress](../assets/img/middleware/compress.png)
![Compress](../../assets/img/middleware/compress.png)
The Compress middleware uses gzip compression.

0
docs/content/middlewares/contenttype.md → docs/content/middlewares/http/contenttype.md
View file

2
docs/content/middlewares/digestauth.md → docs/content/middlewares/http/digestauth.md
View file

@ -3,7 +3,7 @@
Adding Digest Authentication
{: .subtitle }
![BasicAuth](../assets/img/middleware/digestauth.png)
![BasicAuth](../../assets/img/middleware/digestauth.png)
The DigestAuth middleware restricts access to your services to known users.

2
docs/content/middlewares/errorpages.md → docs/content/middlewares/http/errorpages.md
View file

@ -3,7 +3,7 @@
It Has Never Been Easier to Say That Something Went Wrong
{: .subtitle }
![ErrorPages](../assets/img/middleware/errorpages.png)
![ErrorPages](../../assets/img/middleware/errorpages.png)
The ErrorPage middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.

2
docs/content/middlewares/forwardauth.md → docs/content/middlewares/http/forwardauth.md
View file

@ -3,7 +3,7 @@
Using an External Service to Forward Authentication
{: .subtitle }
![AuthForward](../assets/img/middleware/authforward.png)
![AuthForward](../../assets/img/middleware/authforward.png)
The ForwardAuth middleware delegates authentication to an external service.
If the service answers with a 2XX code, access is granted, and the original request is performed.

6
docs/content/middlewares/headers.md → docs/content/middlewares/http/headers.md
View file

@ -3,7 +3,7 @@
Managing Request/Response headers
{: .subtitle }
![Headers](../assets/img/middleware/headers.png)
![Headers](../../assets/img/middleware/headers.png)
The Headers middleware manages the headers of requests and responses.
@ -349,7 +349,7 @@ The `hostsProxyHeaders` option is a set of header keys that may hold a proxied h
!!! warning
Deprecated in favor of [EntryPoint redirection](../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
Deprecated in favor of [EntryPoint redirection](../../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
The `sslRedirect` only allow HTTPS requests when set to `true`.
@ -357,7 +357,7 @@ The `sslRedirect` only allow HTTPS requests when set to `true`.
!!! warning
Deprecated in favor of [EntryPoint redirection](../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
Deprecated in favor of [EntryPoint redirection](../../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
Set `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301).

2
docs/content/middlewares/inflightreq.md → docs/content/middlewares/http/inflightreq.md
View file

@ -3,7 +3,7 @@
Limiting the Number of Simultaneous In-Flight Requests
{: .subtitle }
![InFlightReq](../assets/img/middleware/inflightreq.png)
![InFlightReq](../../assets/img/middleware/inflightreq.png)
To proactively prevent services from being overwhelmed with high load, the number of allowed simultaneous in-flight requests can be limited.

2
docs/content/middlewares/ipwhitelist.md → docs/content/middlewares/http/ipwhitelist.md
View file

@ -3,7 +3,7 @@
Limiting Clients to Specific IPs
{: .subtitle }
![IpWhiteList](../assets/img/middleware/ipwhitelist.png)
![IpWhiteList](../../assets/img/middleware/ipwhitelist.png)
IPWhitelist accepts / refuses requests based on the client IP.

149
docs/content/middlewares/http/overview.md Normal file
View file

@ -0,0 +1,149 @@
# HTTP Middlewares
Controlling connections
{: .subtitle }
![Overview](../../assets/img/middleware/overview.png)
## Configuration Example
```yaml tab="Docker"
# As a Docker Label
whoami:
# A container that exposes an API to show its IP address
image: traefik/whoami
labels:
# Create a middleware named `foo-add-prefix`
- "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
# Apply the middleware named `foo-add-prefix` to the router named `router1`
- "traefik.http.routers.router1.middlewares=foo-add-prefix@docker"
```
```yaml tab="Kubernetes IngressRoute"
# As a Kubernetes Traefik IngressRoute
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: middlewares.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: Middleware
plural: middlewares
singular: middleware
scope: Namespaced
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: stripprefix
spec:
stripPrefix:
prefixes:
- /stripit
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute
spec:
# more fields...
routes:
# more fields...
middlewares:
- name: stripprefix
```
```yaml tab="Consul Catalog"
# Create a middleware named `foo-add-prefix`
- "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
# Apply the middleware named `foo-add-prefix` to the router named `router1`
- "traefik.http.routers.router1.middlewares=foo-add-prefix@consulcatalog"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.foo-add-prefix.addprefix.prefix": "/foo",
"traefik.http.routers.router1.middlewares": "foo-add-prefix@marathon"
}
```
```yaml tab="Rancher"
# As a Rancher Label
labels:
# Create a middleware named `foo-add-prefix`
- "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
# Apply the middleware named `foo-add-prefix` to the router named `router1`
- "traefik.http.routers.router1.middlewares=foo-add-prefix@rancher"
```
```toml tab="File (TOML)"
# As TOML Configuration File
[http.routers]
[http.routers.router1]
service = "myService"
middlewares = ["foo-add-prefix"]
rule = "Host(`example.com`)"
[http.middlewares]
[http.middlewares.foo-add-prefix.addPrefix]
prefix = "/foo"
[http.services]
[http.services.service1]
[http.services.service1.loadBalancer]
[[http.services.service1.loadBalancer.servers]]
url = "http://127.0.0.1:80"
```
```yaml tab="File (YAML)"
# As YAML Configuration File
http:
routers:
router1:
service: myService
middlewares:
- "foo-add-prefix"
rule: "Host(`example.com`)"
middlewares:
foo-add-prefix:
addPrefix:
prefix: "/foo"
services:
service1:
loadBalancer:
servers:
- url: "http://127.0.0.1:80"
```
## Available HTTP Middlewares
| Middleware | Purpose | Area |
|-------------------------------------------|---------------------------------------------------|-----------------------------|
| [AddPrefix](addprefix.md) | Add a Path Prefix | Path Modifier |
| [BasicAuth](basicauth.md) | Basic auth mechanism | Security, Authentication |
| [Buffering](buffering.md) | Buffers the request/response | Request Lifecycle |
| [Chain](chain.md) | Combine multiple pieces of middleware | Middleware tool |
| [CircuitBreaker](circuitbreaker.md) | Stop calling unhealthy services | Request Lifecycle |
| [Compress](compress.md) | Compress the response | Content Modifier |
| [DigestAuth](digestauth.md) | Adds Digest Authentication | Security, Authentication |
| [Errors](errorpages.md) | Define custom error pages | Request Lifecycle |
| [ForwardAuth](forwardauth.md) | Authentication delegation | Security, Authentication |
| [Headers](headers.md) | Add / Update headers | Security |
| [IPWhiteList](ipwhitelist.md) | Limit the allowed client IPs | Security, Request lifecycle |
| [InFlightReq](inflightreq.md) | Limit the number of simultaneous connections | Security, Request lifecycle |
| [PassTLSClientCert](passtlsclientcert.md) | Adding Client Certificates in a Header | Security |
| [RateLimit](ratelimit.md) | Limit the call frequency | Security, Request lifecycle |
| [RedirectScheme](redirectscheme.md) | Redirect easily the client elsewhere | Request lifecycle |
| [RedirectRegex](redirectregex.md) | Redirect the client elsewhere | Request lifecycle |
| [ReplacePath](replacepath.md) | Change the path of the request | Path Modifier |
| [ReplacePathRegex](replacepathregex.md) | Change the path of the request | Path Modifier |
| [Retry](retry.md) | Automatically retry the request in case of errors | Request lifecycle |
| [StripPrefix](stripprefix.md) | Change the path of the request | Path Modifier |
| [StripPrefixRegex](stripprefixregex.md) | Change the path of the request | Path Modifier |

2
docs/content/middlewares/passtlsclientcert.md → docs/content/middlewares/http/passtlsclientcert.md
View file

@ -248,7 +248,7 @@ PassTLSClientCert can add two headers to the request:
!!! info
* The headers are filled with escaped string so it can be safely placed inside a URL query.
* These options only work accordingly to the [MutualTLS configuration](../https/tls.md#client-authentication-mtls).
* These options only work accordingly to the [MutualTLS configuration](../../https/tls.md#client-authentication-mtls).
That is to say, only the certificates that match the `clientAuth.clientAuthType` policy are passed.
The following example shows a complete certificate and explains each of the middleware options.

0
docs/content/middlewares/ratelimit.md → docs/content/middlewares/http/ratelimit.md
View file

0
docs/content/middlewares/redirectregex.md → docs/content/middlewares/http/redirectregex.md
View file

0
docs/content/middlewares/redirectscheme.md → docs/content/middlewares/http/redirectscheme.md
View file

0
docs/content/middlewares/replacepath.md → docs/content/middlewares/http/replacepath.md
View file

0
docs/content/middlewares/replacepathregex.md → docs/content/middlewares/http/replacepathregex.md
View file

0
docs/content/middlewares/retry.md → docs/content/middlewares/http/retry.md
View file

0
docs/content/middlewares/stripprefix.md → docs/content/middlewares/http/stripprefix.md
View file

0
docs/content/middlewares/stripprefixregex.md → docs/content/middlewares/http/stripprefixregex.md
View file

28
docs/content/middlewares/overview.md
View file

@ -9,7 +9,7 @@ Attached to the routers, pieces of middleware are a means of tweaking the reques
There are several available middleware in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on.
Pieces of middleware can be combined in chains to fit every scenario.
Middlewares that use the same protocol can be combined into chains to fit every scenario.
!!! warning "Provider Namespace"
@ -121,26 +121,6 @@ http:
## Available Middlewares
| Middleware | Purpose | Area |
|-------------------------------------------|---------------------------------------------------|-----------------------------|
| [AddPrefix](addprefix.md) | Add a Path Prefix | Path Modifier |
| [BasicAuth](basicauth.md) | Basic auth mechanism | Security, Authentication |
| [Buffering](buffering.md) | Buffers the request/response | Request Lifecycle |
| [Chain](chain.md) | Combine multiple pieces of middleware | Middleware tool |
| [CircuitBreaker](circuitbreaker.md) | Stop calling unhealthy services | Request Lifecycle |
| [Compress](compress.md) | Compress the response | Content Modifier |
| [DigestAuth](digestauth.md) | Adds Digest Authentication | Security, Authentication |
| [Errors](errorpages.md) | Define custom error pages | Request Lifecycle |
| [ForwardAuth](forwardauth.md) | Authentication delegation | Security, Authentication |
| [Headers](headers.md) | Add / Update headers | Security |
| [IPWhiteList](ipwhitelist.md) | Limit the allowed client IPs | Security, Request lifecycle |
| [InFlightReq](inflightreq.md) | Limit the number of simultaneous connections | Security, Request lifecycle |
| [PassTLSClientCert](passtlsclientcert.md) | Adding Client Certificates in a Header | Security |
| [RateLimit](ratelimit.md) | Limit the call frequency | Security, Request lifecycle |
| [RedirectScheme](redirectscheme.md) | Redirect easily the client elsewhere | Request lifecycle |
| [RedirectRegex](redirectregex.md) | Redirect the client elsewhere | Request lifecycle |
| [ReplacePath](replacepath.md) | Change the path of the request | Path Modifier |
| [ReplacePathRegex](replacepathregex.md) | Change the path of the request | Path Modifier |
| [Retry](retry.md) | Automatically retry the request in case of errors | Request lifecycle |
| [StripPrefix](stripprefix.md) | Change the path of the request | Path Modifier |
| [StripPrefixRegex](stripprefixregex.md) | Change the path of the request | Path Modifier |
A list of HTTP middlewares can be found [here](http/overview.md).
A list of TCP middlewares can be found [here](tcp/overview.md).

67
docs/content/middlewares/tcp/ipwhitelist.md Normal file
View file

@ -0,0 +1,67 @@
# IPWhiteList
Limiting Clients to Specific IPs
{: .subtitle }
IPWhitelist accepts / refuses connections based on the client IP.
## Configuration Examples
```yaml tab="Docker"
# Accepts connections from defined IP
labels:
- "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: MiddlewareTCP
metadata:
name: test-ipwhitelist
spec:
ipWhiteList:
sourceRange:
- 127.0.0.1/32
- 192.168.1.7
```
```yaml tab="Consul Catalog"
# Accepts request from defined IP
- "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
```
```json tab="Marathon"
"labels": {
"traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
}
```
```yaml tab="Rancher"
# Accepts request from defined IP
labels:
- "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
```
```toml tab="File (TOML)"
# Accepts request from defined IP
[tcp.middlewares]
[tcp.middlewares.test-ipwhitelist.ipWhiteList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
```
```yaml tab="File (YAML)"
# Accepts request from defined IP
http:
middlewares:
test-ipwhitelist:
ipWhiteList:
sourceRange:
- "127.0.0.1/32"
- "192.168.1.7"
```
## Configuration Options
### `sourceRange`
The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).

134
docs/content/middlewares/tcp/overview.md Normal file
View file

@ -0,0 +1,134 @@
# TCP Middlewares
Controlling connections
{: .subtitle }
![Overview](../../assets/img/middleware/overview.png)
## Configuration Example
```yaml tab="Docker"
# As a Docker Label
whoami:
# A container that exposes an API to show its IP address
image: traefik/whoami
labels:
# Create a middleware named `foo-ip-whitelist`
- "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
# Apply the middleware named `foo-ip-whitelist` to the router named `router1`
- "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@docker"
```
```yaml tab="Kubernetes IngressRoute"
# As a Kubernetes Traefik IngressRoute
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: middlewaretcps.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: MiddlewareTCP
plural: middlewaretcps
singular: middlewaretcp
scope: Namespaced
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: foo-ip-whitelist
spec:
ipWhiteList:
sourcerange:
- 127.0.0.1/32
- 192.168.1.7
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute
spec:
# more fields...
routes:
# more fields...
middlewares:
- name: foo-ip-whitelist
```
```yaml tab="Consul Catalog"
# Create a middleware named `foo-ip-whitelist`
- "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
# Apply the middleware named `foo-ip-whitelist` to the router named `router1`
- "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@consulcatalog"
```
```json tab="Marathon"
"labels": {
"traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7",
"traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@marathon"
}
```
```yaml tab="Rancher"
# As a Rancher Label
labels:
# Create a middleware named `foo-ip-whitelist`
- "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
# Apply the middleware named `foo-ip-whitelist` to the router named `router1`
- "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@rancher"
```
```toml tab="File (TOML)"
# As TOML Configuration File
[tcp.routers]
[tcp.routers.router1]
service = "myService"
middlewares = ["foo-ip-whitelist"]
rule = "Host(`example.com`)"
[tcp.middlewares]
[tcp.middlewares.foo-ip-whitelist.ipWhiteList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
[tcp.services]
[tcp.services.service1]
[tcp.services.service1.loadBalancer]
[[tcp.services.service1.loadBalancer.servers]]
address = "10.0.0.10:4000"
[[tcp.services.service1.loadBalancer.servers]]
address = "10.0.0.11:4000"
```
```yaml tab="File (YAML)"
# As YAML Configuration File
tcp:
routers:
router1:
service: myService
middlewares:
- "foo-ip-whitelist"
rule: "Host(`example.com`)"
middlewares:
foo-ip-whitelist:
ipWhiteList:
sourceRange:
- "127.0.0.1/32"
- "192.168.1.7"
services:
service1:
loadBalancer:
servers:
- address: "10.0.0.10:4000"
- address: "10.0.0.11:4000"
```
## Available TCP Middlewares
| Middleware | Purpose | Area |
|-------------------------------------------|---------------------------------------------------|-----------------------------|
| [IPWhiteList](ipwhitelist.md) | Limit the allowed client IPs | Security, Request lifecycle |

14
docs/content/migration/v1-to-v2.md
View file

@ -327,7 +327,7 @@ With Traefik v2 it is applied on an entry point or a [Router](../routing/routers
To apply a redirection:
- on an entry point, the [HTTP redirection](../routing/entrypoints.md#redirection) has to be configured.
- on a router, one of the redirect middlewares, [RedirectRegex](../middlewares/redirectregex.md) or [RedirectScheme](../middlewares/redirectscheme.md), has to be configured and added to the router middlewares list.
- on a router, one of the redirect middlewares, [RedirectRegex](../middlewares/http/redirectregex.md) or [RedirectScheme](../middlewares/http/redirectscheme.md), has to be configured and added to the router middlewares list.
!!! example "Global HTTP to HTTPS redirection"
@ -545,7 +545,7 @@ Use Case: Incoming requests to `http://example.org/admin` are forwarded to the w
with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, you must:
- First, configure a router named `admin` with a rule matching at least the path prefix with the `PathPrefix` keyword,
- Then, define a middleware of type [`stripprefix`](../middlewares/stripprefix.md), which removes the prefix `/admin`, associated to the router `admin`.
- Then, define a middleware of type [`stripprefix`](../middlewares/http/stripprefix.md), which removes the prefix `/admin`, associated to the router `admin`.
!!! example "Strip Path Prefix When Forwarding to Backend"
@ -660,12 +660,12 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
??? question "What About Other Path Transformations?"
Instead of removing the path prefix with the [`stripprefix` middleware](../../middlewares/stripprefix/), you can also:
Instead of removing the path prefix with the [`stripprefix` middleware](../../middlewares/http/stripprefix/), you can also:
- Add a path prefix with the [`addprefix` middleware](../../middlewares/addprefix/)
- Replace the complete path of the request with the [`replacepath` middleware](../../middlewares/replacepath/)
- ReplaceRewrite path using Regexp with the [`replacepathregex` middleware](../../middlewares/replacepathregex/)
- And a lot more on the [`middlewares` page](../../middlewares/overview/)
- Add a path prefix with the [`addprefix` middleware](../../middlewares/http/addprefix/)
- Replace the complete path of the request with the [`replacepath` middleware](../../middlewares/http/replacepath/)
- ReplaceRewrite path using Regexp with the [`replacepathregex` middleware](../../middlewares/http/replacepathregex/)
- And a lot more on the [`HTTP middlewares` page](../../middlewares/http/overview/)
## ACME (LetsEncrypt)

2
docs/content/migration/v2.md
View file

@ -395,7 +395,7 @@ The support of the `networking.k8s.io/v1beta1` API Version will stop in Kubernet
For simple HTTP to HTTPS redirection, you may use [EntryPoints redirections](../routing/entrypoints.md#redirection).
For more advanced use cases, you can use either the [RedirectScheme middleware](../middlewares/redirectscheme.md) or the [RedirectRegex middleware](../middlewares/redirectregex.md).
For more advanced use cases, you can use either the [RedirectScheme middleware](../middlewares/http/redirectscheme.md) or the [RedirectRegex middleware](../middlewares/http/redirectregex.md).
### Headers middleware: accessControlAllowOrigin

4
docs/content/operations/dashboard.md
View file

@ -66,8 +66,8 @@ with a router attached to the service `api@internal` in the
to allow defining:
- One or more security features through [middlewares](../middlewares/overview.md)
like authentication ([basicAuth](../middlewares/basicauth.md) , [digestAuth](../middlewares/digestauth.md),
[forwardAuth](../middlewares/forwardauth.md)) or [whitelisting](../middlewares/ipwhitelist.md).
like authentication ([basicAuth](../middlewares/http/basicauth.md) , [digestAuth](../middlewares/http/digestauth.md),
[forwardAuth](../middlewares/http/forwardauth.md)) or [whitelisting](../middlewares/http/ipwhitelist.md).
- A [router rule](#dashboard-router-rule) for accessing the dashboard,
through Traefik itself (sometimes referred as "Traefik-ception").

3
docs/content/reference/dynamic-configuration/docker-labels.yml
View file

@ -159,7 +159,9 @@
- "traefik.http.services.service01.loadbalancer.server.port=foobar"
- "traefik.http.services.service01.loadbalancer.server.scheme=foobar"
- "traefik.http.services.service01.loadbalancer.serverstransport=foobar"
- "traefik.tcp.middlewares.middleware00.ipwhitelist.sourcerange=foobar, foobar"
- "traefik.tcp.routers.tcprouter0.entrypoints=foobar, foobar"
- "traefik.tcp.routers.tcprouter0.middlewares=foobar, foobar"
- "traefik.tcp.routers.tcprouter0.rule=foobar"
- "traefik.tcp.routers.tcprouter0.service=foobar"
- "traefik.tcp.routers.tcprouter0.tls=true"
@ -171,6 +173,7 @@
- "traefik.tcp.routers.tcprouter0.tls.options=foobar"
- "traefik.tcp.routers.tcprouter0.tls.passthrough=true"
- "traefik.tcp.routers.tcprouter1.entrypoints=foobar, foobar"
- "traefik.tcp.routers.tcprouter1.middlewares=foobar, foobar"
- "traefik.tcp.routers.tcprouter1.rule=foobar"
- "traefik.tcp.routers.tcprouter1.service=foobar"
- "traefik.tcp.routers.tcprouter1.tls=true"

6
docs/content/reference/dynamic-configuration/file.toml
View file

@ -310,6 +310,7 @@
[tcp.routers]
[tcp.routers.TCPRouter0]
entryPoints = ["foobar", "foobar"]
middlewares = ["foobar", "foobar"]
service = "foobar"
rule = "foobar"
[tcp.routers.TCPRouter0.tls]
@ -326,6 +327,7 @@
sans = ["foobar", "foobar"]
[tcp.routers.TCPRouter1]
entryPoints = ["foobar", "foobar"]
middlewares = ["foobar", "foobar"]
service = "foobar"
rule = "foobar"
[tcp.routers.TCPRouter1.tls]
@ -362,6 +364,10 @@
[[tcp.services.TCPService02.weighted.services]]
name = "foobar"
weight = 42
[tcp.middlewares]
[tcp.middlewares.Middleware00]
[tcp.middlewares.Middleware00.ipWhiteList]
sourceRange = ["foobar", "foobar"]
[udp]
[udp.routers]

12
docs/content/reference/dynamic-configuration/file.yaml
View file

@ -350,6 +350,9 @@ tcp:
entryPoints:
- foobar
- foobar
middlewares:
- foobar
- foobar
service: foobar
rule: foobar
tls:
@ -369,6 +372,9 @@ tcp:
entryPoints:
- foobar
- foobar
middlewares:
- foobar
- foobar
service: foobar
rule: foobar
tls:
@ -384,6 +390,12 @@ tcp:
sans:
- foobar
- foobar
middlewares:
Middleware00:
ipWhiteList:
sourceRange:
- foobar
- foobar
services:
TCPService01:
loadBalancer:

15
docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1beta1.yml
View file

@ -27,6 +27,21 @@ spec:
singular: middleware
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: middlewaretcps.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: MiddlewareTCP
plural: middlewaretcps
singular: middlewaretcp
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition

1
docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
View file

@ -34,6 +34,7 @@ rules:
- traefik.containo.us
resources:
- middlewares
- middlewaretcps
- ingressroutes
- traefikservices
- ingressroutetcps

2
docs/content/reference/dynamic-configuration/kubernetes-crd-resource.yml
View file

@ -147,6 +147,8 @@ spec:
services:
- name: whoamitcp
port: 8080
middlewares:
- name: ipwhitelist
tls:
secretName: foosecret
passthrough: false

6
docs/content/reference/dynamic-configuration/kv-ref.md
View file

@ -220,8 +220,12 @@
| `traefik/http/services/Service03/weighted/sticky/cookie/name` | `foobar` |
| `traefik/http/services/Service03/weighted/sticky/cookie/sameSite` | `foobar` |
| `traefik/http/services/Service03/weighted/sticky/cookie/secure` | `true` |
| `traefik/tcp/middlewares/Middleware00/ipWhiteList/sourceRange/0` | `foobar` |
| `traefik/tcp/middlewares/Middleware00/ipWhiteList/sourceRange/1` | `foobar` |
| `traefik/tcp/routers/TCPRouter0/entryPoints/0` | `foobar` |
| `traefik/tcp/routers/TCPRouter0/entryPoints/1` | `foobar` |
| `traefik/tcp/routers/TCPRouter0/middlewares/0` | `foobar` |
| `traefik/tcp/routers/TCPRouter0/middlewares/1` | `foobar` |
| `traefik/tcp/routers/TCPRouter0/rule` | `foobar` |
| `traefik/tcp/routers/TCPRouter0/service` | `foobar` |
| `traefik/tcp/routers/TCPRouter0/tls/certResolver` | `foobar` |
@ -235,6 +239,8 @@
| `traefik/tcp/routers/TCPRouter0/tls/passthrough` | `true` |
| `traefik/tcp/routers/TCPRouter1/entryPoints/0` | `foobar` |
| `traefik/tcp/routers/TCPRouter1/entryPoints/1` | `foobar` |
| `traefik/tcp/routers/TCPRouter1/middlewares/0` | `foobar` |
| `traefik/tcp/routers/TCPRouter1/middlewares/1` | `foobar` |
| `traefik/tcp/routers/TCPRouter1/rule` | `foobar` |
| `traefik/tcp/routers/TCPRouter1/service` | `foobar` |
| `traefik/tcp/routers/TCPRouter1/tls/certResolver` | `foobar` |

15
docs/content/reference/dynamic-configuration/traefik.containo.us_ingressroutetcps.yaml
View file

@ -47,6 +47,21 @@ spec:
properties:
match:
type: string
middlewares:
description: Middlewares contains references to MiddlewareTCP
resources.
items:
description: ObjectReference is a generic reference to a Traefik
resource.
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
type: array
services:
items:
description: ServiceTCP defines an upstream to proxy traffic.

59
docs/content/reference/dynamic-configuration/traefik.containo.us_middlewaretcps.yaml Normal file
View file

@ -0,0 +1,59 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.1
creationTimestamp: null
name: middlewaretcps.traefik.containo.us
spec:
group: traefik.containo.us
names:
kind: MiddlewareTCP
listKind: MiddlewareTCPList
plural: middlewaretcps
singular: middlewaretcp
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: MiddlewareTCP is a specification for a MiddlewareTCP resource.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: MiddlewareTCPSpec holds the MiddlewareTCP configuration.
properties:
ipWhiteList:
description: TCPIPWhiteList holds the TCP ip white list configuration.
properties:
sourceRange:
items:
type: string
type: array
type: object
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

2
docs/content/routing/overview.md
View file

@ -22,7 +22,7 @@ If they do, the router might transform the request using pieces of [middleware](
## Example with a File Provider
Below is an example of a full configuration file for the [file provider](../providers/file.md) that forwards `http://domain/whoami/` requests to a service reachable on `http://private/whoami-service/`.
In the process, Traefik will make sure that the user is authenticated (using the [BasicAuth middleware](../middlewares/basicauth.md)).
In the process, Traefik will make sure that the user is authenticated (using the [BasicAuth middleware](../middlewares/http/basicauth.md)).
Static configuration:

2
docs/content/routing/providers/consul-catalog.md
View file

@ -263,7 +263,7 @@ you'd add the tag `traefik.http.services.{name-of-your-choice}.loadbalancer.pass
You can declare pieces of middleware using tags starting with `traefik.http.middlewares.{name-of-your-choice}.`, followed by the middleware type/options.
For example, to declare a middleware [`redirectscheme`](../../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.http.middlewares.my-redirect.redirectscheme.scheme: https`.
For example, to declare a middleware [`redirectscheme`](../../middlewares/http/redirectscheme.md) named `my-redirect`, you'd write `traefik.http.middlewares.my-redirect.redirectscheme.scheme: https`.
More information about available middlewares in the dedicated [middlewares section](../../middlewares/overview.md).

2
docs/content/routing/providers/docker.md
View file

@ -419,7 +419,7 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
You can declare pieces of middleware using labels starting with `traefik.http.middlewares.<name-of-your-choice>.`,
followed by the middleware type/options.
For example, to declare a middleware [`redirectscheme`](../../middlewares/redirectscheme.md) named `my-redirect`,
For example, to declare a middleware [`redirectscheme`](../../middlewares/http/redirectscheme.md) named `my-redirect`,
you'd write `traefik.http.middlewares.my-redirect.redirectscheme.scheme=https`.
More information about available middlewares in the dedicated [middlewares section](../../middlewares/overview.md).

2
docs/content/routing/providers/ecs.md
View file

@ -268,7 +268,7 @@ you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.pa
You can declare pieces of middleware using labels starting with `traefik.http.middlewares.{name-of-your-choice}.`, followed by the middleware type/options.
For example, to declare a middleware [`redirectscheme`](../../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.http.middlewares.my-redirect.redirectscheme.scheme: https`.
For example, to declare a middleware [`redirectscheme`](../../middlewares/http/redirectscheme.md) named `my-redirect`, you'd write `traefik.http.middlewares.my-redirect.redirectscheme.scheme: https`.
More information about available middlewares in the dedicated [middlewares section](../../middlewares/overview.md).

2
docs/content/routing/providers/marathon.md
View file

@ -293,7 +293,7 @@ For example, to change the passHostHeader behavior, you'd add the label `"traefi
You can declare pieces of middleware using labels starting with `traefik.http.middlewares.{middleware-name-of-your-choice}.`, followed by the middleware type/options.
For example, to declare a middleware [`redirectscheme`](../../middlewares/redirectscheme.md) named `my-redirect`, you'd write `"traefik.http.middlewares.my-redirect.redirectscheme.scheme": "https"`.
For example, to declare a middleware [`redirectscheme`](../../middlewares/http/redirectscheme.md) named `my-redirect`, you'd write `"traefik.http.middlewares.my-redirect.redirectscheme.scheme": "https"`.
More information about available middlewares in the dedicated [middlewares section](../../middlewares/overview.md).

2
docs/content/routing/providers/rancher.md
View file

@ -299,7 +299,7 @@ you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.pa
You can declare pieces of middleware using labels starting with `traefik.http.middlewares.{name-of-your-choice}.`, followed by the middleware type/options.
For example, to declare a middleware [`redirectscheme`](../../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.http.middlewares.my-redirect.redirectscheme.scheme: https`.
For example, to declare a middleware [`redirectscheme`](../../middlewares/http/redirectscheme.md) named `my-redirect`, you'd write `traefik.http.middlewares.my-redirect.redirectscheme.scheme: https`.
More information about available middlewares in the dedicated [middlewares section](../../middlewares/overview.md).

35
docs/content/routing/routers/index.md
View file

@ -808,6 +808,41 @@ If you want to limit the router scope to a set of entry points, set the entry po
Hence, only TLS routers will be able to specify a domain name with that rule.
However, non-TLS routers will have to explicitly use that rule with `*` (every domain) to state that every non-TLS request will be handled by the router.
### Middlewares
You can attach a list of [middlewares](../../middlewares/overview.md) to each TCP router.
The middlewares will take effect only if the rule matches, and before connecting to the service.
!!! warning "The character `@` is not allowed to be used in the middleware name."
!!! tip "Middlewares order"
Middlewares are applied in the same order as their declaration in **router**.
??? example "With a [middleware](../../middlewares/tcp/overview.md) -- using the [File Provider](../../providers/file.md)"
```toml tab="TOML"
## Dynamic configuration
[tcp.routers]
[tcp.routers.my-router]
rule = "HostSNI(`*`)"
# declared elsewhere
middlewares = ["ipwhitelist"]
service = "service-foo"
```
```yaml tab="YAML"
## Dynamic configuration
tcp:
routers:
my-router:
rule: "HostSNI(`*`)"
# declared elsewhere
middlewares:
- ipwhitelist
service: service-foo
```
### Services
You must attach a TCP [service](../services/index.md) per TCP router.

2
docs/content/routing/services/index.md
View file

@ -116,7 +116,7 @@ The `url` option point to a specific instance.
!!! info ""
Paths in the servers' `url` have no effect.
If you want the requests to be sent to a specific path on your servers,
configure your [`routers`](../routers/index.md) to use a corresponding [middleware](../../middlewares/overview.md) (e.g. the [AddPrefix](../../middlewares/addprefix.md) or [ReplacePath](../../middlewares/replacepath.md)) middlewares.
configure your [`routers`](../routers/index.md) to use a corresponding [middleware](../../middlewares/overview.md) (e.g. the [AddPrefix](../../middlewares/http/addprefix.md) or [ReplacePath](../../middlewares/http/replacepath.md)) middlewares.
??? example "A Service with One Server -- Using the [File Provider](../../providers/file.md)"

2
docs/content/user-guides/marathon.md
View file

@ -57,7 +57,7 @@ Beginning with version 1.4, Traefik respects readiness check results if the Trae
Due to the way readiness check results are currently exposed by the Marathon API, ready tasks may be taken into rotation with a small delay.
It is on the order of one readiness check timeout interval (as configured on the application specification) and guarantees that non-ready tasks do not receive traffic prematurely.
If readiness checks are not possible, a current mitigation strategy is to enable [retries](../middlewares/retry.md) and make sure that a sufficient number of healthy application tasks exist so that one retry will likely hit one of those.
If readiness checks are not possible, a current mitigation strategy is to enable [retries](../middlewares/http/retry.md) and make sure that a sufficient number of healthy application tasks exist so that one retry will likely hit one of those.
Apart from its probabilistic nature, the workaround comes at the price of increased latency.
#### Shutdown

51
docs/mkdocs.yml
View file

@ -104,29 +104,34 @@ nav:
- 'TLS': 'https/tls.md'
- 'Let''s Encrypt': 'https/acme.md'
- 'Middlewares':
- 'Overview': 'middlewares/overview.md'
- 'AddPrefix': 'middlewares/addprefix.md'
- 'BasicAuth': 'middlewares/basicauth.md'
- 'Buffering': 'middlewares/buffering.md'
- 'Chain': 'middlewares/chain.md'
- 'CircuitBreaker': 'middlewares/circuitbreaker.md'
- 'Compress': 'middlewares/compress.md'
- 'ContentType': 'middlewares/contenttype.md'
- 'DigestAuth': 'middlewares/digestauth.md'
- 'Errors': 'middlewares/errorpages.md'
- 'ForwardAuth': 'middlewares/forwardauth.md'
- 'Headers': 'middlewares/headers.md'
- 'IpWhitelist': 'middlewares/ipwhitelist.md'
- 'InFlightReq': 'middlewares/inflightreq.md'
- 'PassTLSClientCert': 'middlewares/passtlsclientcert.md'
- 'RateLimit': 'middlewares/ratelimit.md'
- 'RedirectRegex': 'middlewares/redirectregex.md'
- 'RedirectScheme': 'middlewares/redirectscheme.md'
- 'ReplacePath': 'middlewares/replacepath.md'
- 'ReplacePathRegex': 'middlewares/replacepathregex.md'
- 'Retry': 'middlewares/retry.md'
- 'StripPrefix': 'middlewares/stripprefix.md'
- 'StripPrefixRegex': 'middlewares/stripprefixregex.md'
- 'Overview': 'middlewares/overview.md'
- 'HTTP':
- 'Overview': 'middlewares/http/overview.md'
- 'AddPrefix': 'middlewares/http/addprefix.md'
- 'BasicAuth': 'middlewares/http/basicauth.md'
- 'Buffering': 'middlewares/http/buffering.md'
- 'Chain': 'middlewares/http/chain.md'
- 'CircuitBreaker': 'middlewares/http/circuitbreaker.md'
- 'Compress': 'middlewares/http/compress.md'
- 'ContentType': 'middlewares/http/contenttype.md'
- 'DigestAuth': 'middlewares/http/digestauth.md'
- 'Errors': 'middlewares/http/errorpages.md'
- 'ForwardAuth': 'middlewares/http/forwardauth.md'
- 'Headers': 'middlewares/http/headers.md'
- 'IpWhitelist': 'middlewares/http/ipwhitelist.md'
- 'InFlightReq': 'middlewares/http/inflightreq.md'
- 'PassTLSClientCert': 'middlewares/http/passtlsclientcert.md'
- 'RateLimit': 'middlewares/http/ratelimit.md'
- 'RedirectRegex': 'middlewares/http/redirectregex.md'
- 'RedirectScheme': 'middlewares/http/redirectscheme.md'
- 'ReplacePath': 'middlewares/http/replacepath.md'
- 'ReplacePathRegex': 'middlewares/http/replacepathregex.md'
- 'Retry': 'middlewares/http/retry.md'
- 'StripPrefix': 'middlewares/http/stripprefix.md'
- 'StripPrefixRegex': 'middlewares/http/stripprefixregex.md'
- 'TCP':
- 'Overview': 'middlewares/tcp/overview.md'
- 'IpWhitelist': 'middlewares/tcp/ipwhitelist.md'
- 'Plugins & Traefik Pilot': 'plugins/index.md'
- 'Operations':
- 'CLI': 'operations/cli.md'