homelab/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add TCP Middlewares support

Browse source
This commit is contained in:
Romain 2021-06-11 15:30:05 +02:00 committed by GitHub
parent 679def0151
commit fc9f41b955
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
134 changed files with 5865 additions and 1852 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/content/middlewares/addprefix.md → docs/content/middlewares/http/addprefix.md
View file

@ -3,7 +3,7 @@
Prefixing the Path
{: .subtitle }
![AddPrefix](../assets/img/middleware/addprefix.png)
![AddPrefix](../../assets/img/middleware/addprefix.png)
The AddPrefix middleware updates the path of a request before forwarding it.

2
docs/content/middlewares/basicauth.md → docs/content/middlewares/http/basicauth.md
View file

@ -3,7 +3,7 @@
Adding Basic Authentication
{: .subtitle }
![BasicAuth](../assets/img/middleware/basicauth.png)
![BasicAuth](../../assets/img/middleware/basicauth.png)
The BasicAuth middleware restricts access to your services to known users.

2
docs/content/middlewares/buffering.md → docs/content/middlewares/http/buffering.md
View file

@ -3,7 +3,7 @@
How to Read the Request before Forwarding It
{: .subtitle }
![Buffering](../assets/img/middleware/buffering.png)
![Buffering](../../assets/img/middleware/buffering.png)
The Buffering middleware limits the size of requests that can be forwarded to services.

2
docs/content/middlewares/chain.md → docs/content/middlewares/http/chain.md
View file

@ -3,7 +3,7 @@
When One Isn't Enough
{: .subtitle }
![Chain](../assets/img/middleware/chain.png)
![Chain](../../assets/img/middleware/chain.png)
The Chain middleware enables you to define reusable combinations of other pieces of middleware.
It makes reusing the same groups easier.

2
docs/content/middlewares/circuitbreaker.md → docs/content/middlewares/http/circuitbreaker.md
View file

@ -3,7 +3,7 @@
Don't Waste Time Calling Unhealthy Services
{: .subtitle }
![CircuitBreaker](../assets/img/middleware/circuitbreaker.png)
![CircuitBreaker](../../assets/img/middleware/circuitbreaker.png)
The circuit breaker protects your system from stacking requests to unhealthy services, resulting in cascading failures.

2
docs/content/middlewares/compress.md → docs/content/middlewares/http/compress.md
View file

@ -3,7 +3,7 @@
Compress Responses before Sending them to the Client
{: .subtitle }
![Compress](../assets/img/middleware/compress.png)
![Compress](../../assets/img/middleware/compress.png)
The Compress middleware uses gzip compression.

0
docs/content/middlewares/contenttype.md → docs/content/middlewares/http/contenttype.md
View file

2
docs/content/middlewares/digestauth.md → docs/content/middlewares/http/digestauth.md
View file

@ -3,7 +3,7 @@
Adding Digest Authentication
{: .subtitle }
![BasicAuth](../assets/img/middleware/digestauth.png)
![BasicAuth](../../assets/img/middleware/digestauth.png)
The DigestAuth middleware restricts access to your services to known users.

2
docs/content/middlewares/errorpages.md → docs/content/middlewares/http/errorpages.md
View file

@ -3,7 +3,7 @@
It Has Never Been Easier to Say That Something Went Wrong
{: .subtitle }
![ErrorPages](../assets/img/middleware/errorpages.png)
![ErrorPages](../../assets/img/middleware/errorpages.png)
The ErrorPage middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.

2
docs/content/middlewares/forwardauth.md → docs/content/middlewares/http/forwardauth.md
View file

@ -3,7 +3,7 @@
Using an External Service to Forward Authentication
{: .subtitle }
![AuthForward](../assets/img/middleware/authforward.png)
![AuthForward](../../assets/img/middleware/authforward.png)
The ForwardAuth middleware delegates authentication to an external service.
If the service answers with a 2XX code, access is granted, and the original request is performed.

6
docs/content/middlewares/headers.md → docs/content/middlewares/http/headers.md
View file

@ -3,7 +3,7 @@
Managing Request/Response headers
{: .subtitle }
![Headers](../assets/img/middleware/headers.png)
![Headers](../../assets/img/middleware/headers.png)
The Headers middleware manages the headers of requests and responses.
@ -349,7 +349,7 @@ The `hostsProxyHeaders` option is a set of header keys that may hold a proxied h
!!! warning
Deprecated in favor of [EntryPoint redirection](../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
Deprecated in favor of [EntryPoint redirection](../../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
The `sslRedirect` only allow HTTPS requests when set to `true`.
@ -357,7 +357,7 @@ The `sslRedirect` only allow HTTPS requests when set to `true`.
!!! warning
Deprecated in favor of [EntryPoint redirection](../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
Deprecated in favor of [EntryPoint redirection](../../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
Set `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301).

2
docs/content/middlewares/inflightreq.md → docs/content/middlewares/http/inflightreq.md
View file

@ -3,7 +3,7 @@
Limiting the Number of Simultaneous In-Flight Requests
{: .subtitle }
![InFlightReq](../assets/img/middleware/inflightreq.png)
![InFlightReq](../../assets/img/middleware/inflightreq.png)
To proactively prevent services from being overwhelmed with high load, the number of allowed simultaneous in-flight requests can be limited.

2
docs/content/middlewares/ipwhitelist.md → docs/content/middlewares/http/ipwhitelist.md
View file

@ -3,7 +3,7 @@
Limiting Clients to Specific IPs
{: .subtitle }
![IpWhiteList](../assets/img/middleware/ipwhitelist.png)
![IpWhiteList](../../assets/img/middleware/ipwhitelist.png)
IPWhitelist accepts / refuses requests based on the client IP.

149
docs/content/middlewares/http/overview.md Normal file
View file

@ -0,0 +1,149 @@
# HTTP Middlewares
Controlling connections
{: .subtitle }
![Overview](../../assets/img/middleware/overview.png)
## Configuration Example
```yaml tab="Docker"
# As a Docker Label
whoami:
# A container that exposes an API to show its IP address
image: traefik/whoami
labels:
# Create a middleware named `foo-add-prefix`
- "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
# Apply the middleware named `foo-add-prefix` to the router named `router1`
- "traefik.http.routers.router1.middlewares=foo-add-prefix@docker"
```
```yaml tab="Kubernetes IngressRoute"
# As a Kubernetes Traefik IngressRoute
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: middlewares.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: Middleware
plural: middlewares
singular: middleware
scope: Namespaced
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: stripprefix
spec:
stripPrefix:
prefixes:
- /stripit
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute
spec:
# more fields...
routes:
# more fields...
middlewares:
- name: stripprefix
```
```yaml tab="Consul Catalog"
# Create a middleware named `foo-add-prefix`
- "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
# Apply the middleware named `foo-add-prefix` to the router named `router1`
- "traefik.http.routers.router1.middlewares=foo-add-prefix@consulcatalog"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.foo-add-prefix.addprefix.prefix": "/foo",
"traefik.http.routers.router1.middlewares": "foo-add-prefix@marathon"
}
```
```yaml tab="Rancher"
# As a Rancher Label
labels:
# Create a middleware named `foo-add-prefix`
- "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
# Apply the middleware named `foo-add-prefix` to the router named `router1`
- "traefik.http.routers.router1.middlewares=foo-add-prefix@rancher"
```
```toml tab="File (TOML)"
# As TOML Configuration File
[http.routers]
[http.routers.router1]
service = "myService"
middlewares = ["foo-add-prefix"]
rule = "Host(`example.com`)"
[http.middlewares]
[http.middlewares.foo-add-prefix.addPrefix]
prefix = "/foo"
[http.services]
[http.services.service1]
[http.services.service1.loadBalancer]
[[http.services.service1.loadBalancer.servers]]
url = "http://127.0.0.1:80"
```
```yaml tab="File (YAML)"
# As YAML Configuration File
http:
routers:
router1:
service: myService
middlewares:
- "foo-add-prefix"
rule: "Host(`example.com`)"
middlewares:
foo-add-prefix:
addPrefix:
prefix: "/foo"
services:
service1:
loadBalancer:
servers:
- url: "http://127.0.0.1:80"
```
## Available HTTP Middlewares
| Middleware | Purpose | Area |
|-------------------------------------------|---------------------------------------------------|-----------------------------|
| [AddPrefix](addprefix.md) | Add a Path Prefix | Path Modifier |
| [BasicAuth](basicauth.md) | Basic auth mechanism | Security, Authentication |
| [Buffering](buffering.md) | Buffers the request/response | Request Lifecycle |
| [Chain](chain.md) | Combine multiple pieces of middleware | Middleware tool |
| [CircuitBreaker](circuitbreaker.md) | Stop calling unhealthy services | Request Lifecycle |
| [Compress](compress.md) | Compress the response | Content Modifier |
| [DigestAuth](digestauth.md) | Adds Digest Authentication | Security, Authentication |
| [Errors](errorpages.md) | Define custom error pages | Request Lifecycle |
| [ForwardAuth](forwardauth.md) | Authentication delegation | Security, Authentication |
| [Headers](headers.md) | Add / Update headers | Security |
| [IPWhiteList](ipwhitelist.md) | Limit the allowed client IPs | Security, Request lifecycle |
| [InFlightReq](inflightreq.md) | Limit the number of simultaneous connections | Security, Request lifecycle |
| [PassTLSClientCert](passtlsclientcert.md) | Adding Client Certificates in a Header | Security |
| [RateLimit](ratelimit.md) | Limit the call frequency | Security, Request lifecycle |
| [RedirectScheme](redirectscheme.md) | Redirect easily the client elsewhere | Request lifecycle |
| [RedirectRegex](redirectregex.md) | Redirect the client elsewhere | Request lifecycle |
| [ReplacePath](replacepath.md) | Change the path of the request | Path Modifier |
| [ReplacePathRegex](replacepathregex.md) | Change the path of the request | Path Modifier |
| [Retry](retry.md) | Automatically retry the request in case of errors | Request lifecycle |
| [StripPrefix](stripprefix.md) | Change the path of the request | Path Modifier |
| [StripPrefixRegex](stripprefixregex.md) | Change the path of the request | Path Modifier |

2
docs/content/middlewares/passtlsclientcert.md → docs/content/middlewares/http/passtlsclientcert.md
View file

@ -248,7 +248,7 @@ PassTLSClientCert can add two headers to the request:
!!! info
* The headers are filled with escaped string so it can be safely placed inside a URL query.
* These options only work accordingly to the [MutualTLS configuration](../https/tls.md#client-authentication-mtls).
* These options only work accordingly to the [MutualTLS configuration](../../https/tls.md#client-authentication-mtls).
That is to say, only the certificates that match the `clientAuth.clientAuthType` policy are passed.
The following example shows a complete certificate and explains each of the middleware options.

0
docs/content/middlewares/ratelimit.md → docs/content/middlewares/http/ratelimit.md
View file

0
docs/content/middlewares/redirectregex.md → docs/content/middlewares/http/redirectregex.md
View file

0
docs/content/middlewares/redirectscheme.md → docs/content/middlewares/http/redirectscheme.md
View file

0
docs/content/middlewares/replacepath.md → docs/content/middlewares/http/replacepath.md
View file

0
docs/content/middlewares/replacepathregex.md → docs/content/middlewares/http/replacepathregex.md
View file

0
docs/content/middlewares/retry.md → docs/content/middlewares/http/retry.md
View file

0
docs/content/middlewares/stripprefix.md → docs/content/middlewares/http/stripprefix.md
View file

0
docs/content/middlewares/stripprefixregex.md → docs/content/middlewares/http/stripprefixregex.md
View file

28
docs/content/middlewares/overview.md
View file

@ -9,7 +9,7 @@ Attached to the routers, pieces of middleware are a means of tweaking the reques
There are several available middleware in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on.
Pieces of middleware can be combined in chains to fit every scenario.
Middlewares that use the same protocol can be combined into chains to fit every scenario.
!!! warning "Provider Namespace"
@ -121,26 +121,6 @@ http:
## Available Middlewares
| Middleware | Purpose | Area |
|-------------------------------------------|---------------------------------------------------|-----------------------------|
| [AddPrefix](addprefix.md) | Add a Path Prefix | Path Modifier |
| [BasicAuth](basicauth.md) | Basic auth mechanism | Security, Authentication |
| [Buffering](buffering.md) | Buffers the request/response | Request Lifecycle |
| [Chain](chain.md) | Combine multiple pieces of middleware | Middleware tool |
| [CircuitBreaker](circuitbreaker.md) | Stop calling unhealthy services | Request Lifecycle |
| [Compress](compress.md) | Compress the response | Content Modifier |
| [DigestAuth](digestauth.md) | Adds Digest Authentication | Security, Authentication |
| [Errors](errorpages.md) | Define custom error pages | Request Lifecycle |
| [ForwardAuth](forwardauth.md) | Authentication delegation | Security, Authentication |
| [Headers](headers.md) | Add / Update headers | Security |
| [IPWhiteList](ipwhitelist.md) | Limit the allowed client IPs | Security, Request lifecycle |
| [InFlightReq](inflightreq.md) | Limit the number of simultaneous connections | Security, Request lifecycle |
| [PassTLSClientCert](passtlsclientcert.md) | Adding Client Certificates in a Header | Security |
| [RateLimit](ratelimit.md) | Limit the call frequency | Security, Request lifecycle |
| [RedirectScheme](redirectscheme.md) | Redirect easily the client elsewhere | Request lifecycle |
| [RedirectRegex](redirectregex.md) | Redirect the client elsewhere | Request lifecycle |
| [ReplacePath](replacepath.md) | Change the path of the request | Path Modifier |
| [ReplacePathRegex](replacepathregex.md) | Change the path of the request | Path Modifier |
| [Retry](retry.md) | Automatically retry the request in case of errors | Request lifecycle |
| [StripPrefix](stripprefix.md) | Change the path of the request | Path Modifier |
| [StripPrefixRegex](stripprefixregex.md) | Change the path of the request | Path Modifier |
A list of HTTP middlewares can be found [here](http/overview.md).
A list of TCP middlewares can be found [here](tcp/overview.md).

67
docs/content/middlewares/tcp/ipwhitelist.md Normal file
View file

@ -0,0 +1,67 @@
# IPWhiteList
Limiting Clients to Specific IPs
{: .subtitle }
IPWhitelist accepts / refuses connections based on the client IP.
## Configuration Examples
```yaml tab="Docker"
# Accepts connections from defined IP
labels:
- "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: MiddlewareTCP
metadata:
name: test-ipwhitelist
spec:
ipWhiteList:
sourceRange:
- 127.0.0.1/32
- 192.168.1.7
```
```yaml tab="Consul Catalog"
# Accepts request from defined IP
- "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
```
```json tab="Marathon"
"labels": {
"traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
}
```
```yaml tab="Rancher"
# Accepts request from defined IP
labels:
- "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
```
```toml tab="File (TOML)"
# Accepts request from defined IP
[tcp.middlewares]
[tcp.middlewares.test-ipwhitelist.ipWhiteList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
```
```yaml tab="File (YAML)"
# Accepts request from defined IP
http:
middlewares:
test-ipwhitelist:
ipWhiteList:
sourceRange:
- "127.0.0.1/32"
- "192.168.1.7"
```
## Configuration Options
### `sourceRange`
The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).

134
docs/content/middlewares/tcp/overview.md Normal file
View file

@ -0,0 +1,134 @@
# TCP Middlewares
Controlling connections
{: .subtitle }
![Overview](../../assets/img/middleware/overview.png)
## Configuration Example
```yaml tab="Docker"
# As a Docker Label
whoami:
# A container that exposes an API to show its IP address
image: traefik/whoami
labels:
# Create a middleware named `foo-ip-whitelist`
- "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
# Apply the middleware named `foo-ip-whitelist` to the router named `router1`
- "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@docker"
```
```yaml tab="Kubernetes IngressRoute"
# As a Kubernetes Traefik IngressRoute
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: middlewaretcps.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: MiddlewareTCP
plural: middlewaretcps
singular: middlewaretcp
scope: Namespaced
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: foo-ip-whitelist
spec:
ipWhiteList:
sourcerange:
- 127.0.0.1/32
- 192.168.1.7
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute
spec:
# more fields...
routes:
# more fields...
middlewares:
- name: foo-ip-whitelist
```
```yaml tab="Consul Catalog"
# Create a middleware named `foo-ip-whitelist`
- "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
# Apply the middleware named `foo-ip-whitelist` to the router named `router1`
- "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@consulcatalog"
```
```json tab="Marathon"
"labels": {
"traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7",
"traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@marathon"
}
```
```yaml tab="Rancher"
# As a Rancher Label
labels:
# Create a middleware named `foo-ip-whitelist`
- "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
# Apply the middleware named `foo-ip-whitelist` to the router named `router1`
- "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@rancher"
```
```toml tab="File (TOML)"
# As TOML Configuration File
[tcp.routers]
[tcp.routers.router1]
service = "myService"
middlewares = ["foo-ip-whitelist"]
rule = "Host(`example.com`)"
[tcp.middlewares]
[tcp.middlewares.foo-ip-whitelist.ipWhiteList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
[tcp.services]
[tcp.services.service1]
[tcp.services.service1.loadBalancer]
[[tcp.services.service1.loadBalancer.servers]]
address = "10.0.0.10:4000"
[[tcp.services.service1.loadBalancer.servers]]
address = "10.0.0.11:4000"
```
```yaml tab="File (YAML)"
# As YAML Configuration File
tcp:
routers:
router1:
service: myService
middlewares:
- "foo-ip-whitelist"
rule: "Host(`example.com`)"
middlewares:
foo-ip-whitelist:
ipWhiteList:
sourceRange:
- "127.0.0.1/32"
- "192.168.1.7"
services:
service1:
loadBalancer:
servers:
- address: "10.0.0.10:4000"
- address: "10.0.0.11:4000"
```
## Available TCP Middlewares
| Middleware | Purpose | Area |
|-------------------------------------------|---------------------------------------------------|-----------------------------|
| [IPWhiteList](ipwhitelist.md) | Limit the allowed client IPs | Security, Request lifecycle |