baalajimaestro/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

Adds middlewares examples for k8s.

Browse source
This commit is contained in:
Ludovic Fernandez 2019-04-03 14:32:04 +02:00 committed by Traefiker Bot
parent 336135c392
commit 07d0eb9ae6
16 changed files with 552 additions and 261 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
docs/content/middlewares/addprefix.md
View file

@ -12,17 +12,18 @@ The AddPrefix middleware updates the URL Path of the request before forwarding i
```yaml tab="Docker"
# Prefixing with /foo
labels:
- "traefik.http.middlewares.add-bar.addprefix.prefix=/foo"
- "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
```
```yaml tab="Kubernetes"
# Prefixing with /foo
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: addprefix
name: add-foo
spec:
addprefix:
prefix: /bar
addPrefix:
prefix: /foo
```
```toml tab="File"
@ -34,6 +35,6 @@ spec:
## Configuration Options
### prefix
### `prefix`
`prefix` is the string to add before the current path in the requested URL. It should include the leading slash (`/`).

57
docs/content/middlewares/basicauth.md
View file

@ -12,15 +12,30 @@ The BasicAuth middleware is a quick way to restrict access to your services to k
```yaml tab="Docker"
# Declaring the user list
labels:
- "traefik.http.middlewares.declared-users-only.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
- "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
```
```yaml tab="Kubernetes"
# Declaring the user list
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
basicAuth:
users:
- test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
- test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
```
```toml tab="File"
# Declaring the user list
[http.middlewares]
[http.middlewares.test-auth.basicauth]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
```
## Configuration Options
@ -33,7 +48,7 @@ Passwords must be encoded using MD5, SHA1, or BCrypt.
Use `htpasswd` to generate the passwords.
### users
### `users`
The `users` option is an array of authorized users. Each user will be declared using the `name:encoded-password` format.
@ -41,7 +56,7 @@ The `users` option is an array of authorized users. Each user will be declared u
If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
### usersFile
### `usersFile`
The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
@ -58,22 +73,36 @@ The file content is a list of `name:encoded-password`.
If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
### realm
### `realm`
You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.
### headerField
### `headerField`
You can customize the header field for the authenticated user using the `headerField`option.
??? example "File -- Passing Authenticated Users to Services Via Headers"
```yaml tab="Docker"
labels:
- "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"
```
```toml
[http.middlewares.my-auth.basicauth]
usersFile = "path-to-file.ext"
headerField = "X-WebAuth-User" # header for the authenticated user
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: my-auth
spec:
basicAuth:
# ...
headerField: X-WebAuth-User
```
### removeHeader
```toml tab="File"
[http.middlewares.my-auth.basicauth]
# ...
headerField = "X-WebAuth-User"
```
### `removeHeader`
Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)

25
docs/content/middlewares/buffering.md
View file

@ -16,39 +16,50 @@ This can help services deal with large data (multipart/form-data for example), a
```yaml tab="Docker"
# Sets the maximum request body to 2Mb
labels:
- "traefik.http.middlewares.2Mb-memory.buffering.maxRequestBodyBytes=250000"
- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=250000"
```
```yaml tab="Kubernetes"
# Sets the maximum request body to 2Mb
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: limit
spec:
buffering:
maxRequestBodyBytes: 250000
```
```toml tab="File"
# Sets the maximum request body to 2Mb
[http.middlewares]
[http.middlewares.2Mb-limit.buffering]
[http.middlewares.limit.buffering]
maxRequestBodyBytes = 250000
```
## Configuration Options
### maxRequestBodyBytes
### `maxRequestBodyBytes`
With the `maxRequestBodyBytes` option, you can configure the maximum allowed body size for the request (in Bytes).
If the request exceeds the allowed size, the request is not forwarded to the service and the client gets a `413 (Request Entity Too Large) response.
### memRequestBodyBytes
### `memRequestBodyBytes`
You can configure a thresold (in Bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option.
### maxResponseBodyBytes
### `maxResponseBodyBytes`
With the `maxReesponseBodyBytes` option, you can configure the maximum allowed response size from the service (in Bytes).
If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `413 (Request Entity Too Large) response` instead.
### memResponseBodyBytes
### `memResponseBodyBytes`
You can configure a thresold (in Bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option.
### retryExpression
### `retryExpression`
You can have the Buffering middleware replay the request with the help of the `retryExpression` option.

131
docs/content/middlewares/chain.md
View file

@ -1,6 +1,6 @@
# Chain
When One Isn't Enougth
When One Isn't Enough
{: .subtitle }
![Chain](../assets/img/middleware/chain.png)
@ -10,31 +10,104 @@ It makes reusing the same groups easier.
## Configuration Example
??? example "A Chain for WhiteList, BasicAuth, and HTTPS"
```toml
# ...
[http.routers]
[http.routers.router1]
service = "service1"
middlewares = ["secured"]
rule = "Host: mydomain"
[http.middlewares]
[http.middlewares.secured.Chain]
middlewares = ["https-only", "known-ips", "auth-users"]
[http.middlewares.auth-users.BasicAuth]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
[http.middlewares.https-only.SchemeRedirect]
scheme = "https"
[http.middlewares.known-ips.ipWhiteList]
sourceRange = ["192.168.1.7", "x.x.x.x", "x.x.x.x"]
[http.services]
[http.services.service1]
[http.services.service1.LoadBalancer]
[[http.services.service1.LoadBalancer.Servers]]
URL = "http://127.0.0.1:80"
Weight = 1
```
Example "A Chain for WhiteList, BasicAuth, and HTTPS"
```yaml tab="Docker"
labels:
- "traefik.http.routers.router1.service=service1"
- "traefik.http.routers.router1.middlewares=secured"
- "traefik.http.routers.router1.rule=Host(`mydomain`)"
- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- "traefik.http.middlewares.https-only.schemeredirect.scheme=https"
- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
- "http.services.service1.loadbalancer.server.port=80"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: test
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`mydomain`)
kind: Rule
services:
- name: whoami
port: 80
middlewares:
- name: secured
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: secured
spec:
chain:
middlewares:
- https-only
- known-ips
- auth-users
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: auth-users
spec:
basicAuth:
users:
- test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: https-only
spec:
schemeRedirect:
scheme: https
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: known-ips
spec:
ipWhiteList:
sourceRange:
- 192.168.1.7
- 127.0.0.1/32
```
```toml tab="File"
# ...
[http.routers]
[http.routers.router1]
service = "service1"
middlewares = ["secured"]
rule = "Host(`mydomain`)"
[http.middlewares]
[http.middlewares.secured.Chain]
middlewares = ["https-only", "known-ips", "auth-users"]
[http.middlewares.auth-users.BasicAuth]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
[http.middlewares.https-only.SchemeRedirect]
scheme = "https"
[http.middlewares.known-ips.ipWhiteList]
sourceRange = ["192.168.1.7", "127.0.0.1/32"]
[http.services]
[http.services.service1]
[http.services.service1.LoadBalancer]
[[http.services.service1.LoadBalancer.Servers]]
URL = "http://127.0.0.1:80"
Weight = 1
```

36
docs/content/middlewares/circuitbreaker.md
View file

@ -29,10 +29,21 @@ labels:
- "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
```
```yaml tab="Kubernetes"
# Latency Check
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: latency-check
spec:
circuitBreaker:
expression: LatencyAtQuantileMS(50.0) > 100
```
```toml tab="File"
# Latency Check
[http.middlewares]
[http.middlewares.latency-check.circuitbreaker]
[http.middlewares.latency-check.circuitBreaker]
expression = "LatencyAtQuantileMS(50.0) > 100"
```
@ -52,11 +63,14 @@ At specified intervals (`checkPeriod`), it will evaluate `expression` to decide
### Open
While open, the fallback mechanism takes over the normal service calls for a duration of `FallbackDuration`. After this duration, it will enter the recovering state.
While open, the fallback mechanism takes over the normal service calls for a duration of `FallbackDuration`.
After this duration, it will enter the recovering state.
### Recovering
While recovering, the circuit breaker will progressively send requests to your service again (in a linear way, for `RecoveryDuration`). If your service fails during recovery, the circuit breaker becomes open again. If the service operates normally during the whole recovering duration, then the circuit breaker returns to close.
While recovering, the circuit breaker will progressively send requests to your service again (in a linear way, for `RecoveryDuration`).
If your service fails during recovery, the circuit breaker becomes open again.
If the service operates normally during the whole recovering duration, then the circuit breaker returns to close.
## Configuration Options
@ -70,11 +84,11 @@ The `expression` can check three different metrics:
- The status code ratio (`ResponseCodeRatio`)
- The latency at quantile, in milliseconds (`LatencyAtQuantileMS`)
#### NetworkErrorRatio
#### `NetworkErrorRatio`
If you want the circuit breaker to trigger at a 30% ratio of network errors, the expression will be `NetworkErrorRatio() > 0.30`
#### ResponseCodeRatio
#### `ResponseCodeRatio`
You can trigger the circuit breaker based on the ratio of a given range of status codes.
@ -89,11 +103,11 @@ The operation that will be computed is sum(`to` -> `from`) / sum (`dividedByFrom
For example, the expression `ResponseCodeRatio(500, 600, 0, 600) > 0.25` will trigger the circuit breaker if 25% of the requests returned a 5XX status (amongst the request that returned a status code from 0 to 5XX).
#### LatencyAtQuantileMS
#### `LatencyAtQuantileMS`
You can trigger the circuit breaker when a given proportion of your requests become too slow.
For example, the expression `LatencyAtQuantileMS(50.0) > 100` will trigger the circuit breaker when the median lantency (quantile 50) reaches 100MS.
For example, the expression `LatencyAtQuantileMS(50.0) > 100` will trigger the circuit breaker when the median latency (quantile 50) reaches 100MS.
!!! Note
@ -106,7 +120,7 @@ You can combine multiple metrics using operators in your expression.
Supported operators are:
- AND (`&&`)
- OR (`||)
- OR (`||`)
For example, `ResponseCodeRatio(500, 600, 0, 600) > 0.30 || NetworkErrorRatio() > 0.10` triggers the circuit breaker when 30% of the requests return a 5XX status code, or when the ratio of network errors reaches 10%.
@ -126,15 +140,15 @@ Here is the list of supported operators:
The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client (instead of calling the target service). This behavior cannot be configured.
### CheckPeriod
### `CheckPeriod`
The interval used to evaluate `expression` and decide if the state of the circuit breaker must change. By default, `CheckPeriod` is 100Ms. This value cannot be configured.
### FallbackDuration
### `FallbackDuration`
By default, `FallbackDuration` is 10 seconds. This value cannot be configured.
### RecoveringDuration
### `RecoveringDuration`
The duration of the recovering mode (recovering state).

61
docs/content/middlewares/digestauth.md
View file

@ -11,14 +11,29 @@ The DigestAuth middleware is a quick way to restrict access to your services to
```yaml tab="Docker"
labels:
- "traefik.http.middlewares.declared-users-only.digestauth.usersFile=path-to-file.ext"
- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
```
```yaml tab="Kubernetes"
# Declaring the user list
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
digestAuth:
users:
- test:traefik:a2688e031edb4be6a3797f3882655c05
- test2:traefik:518845800f9e2bfb1f1f740ec24f074e
```
```toml tab="File"
[http.middlewares]
[http.middlewares.test-auth.digestauth]
users = ["test:traefik:a2688e031edb4be6a3797f3882655c05",
"test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
[http.middlewares.test-auth.digestAuth]
users = [
"test:traefik:a2688e031edb4be6a3797f3882655c05",
"test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
]
```
!!! tip
@ -27,7 +42,7 @@ labels:
## Configuration Options
### Users
### `Users`
The `users` option is an array of authorized users. Each user will be declared using the `name:realm:encoded-password` format.
@ -35,7 +50,7 @@ The `users` option is an array of authorized users. Each user will be declared u
If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
### UsersFile
### `UsersFile`
The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
@ -52,22 +67,38 @@ The file content is a list of `name:realm:encoded-password`.
If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
### Realm
### `Realm`
You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.
### HeaderField
### `HeaderField`
You can customize the header field for the authenticated user using the `headerField`option.
??? example "File -- Passing Authenticated Users to Services Via Headers"
Example "File -- Passing Authenticated User to Services Via Headers"
```toml
[http.middlewares.my-auth.digestauth]
usersFile = "path-to-file.ext"
headerField = "X-WebAuth-User" # header for the authenticated user
```
```yaml tab="Docker"
labels:
- "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
```
### RemoveHeader
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: my-auth
spec:
digestAuth:
# ...
headerField: X-WebAuth-User
```
```toml tab="File"
[http.middlewares.my-auth.digestAuth]
# ...
headerField = "X-WebAuth-User"
```
### `RemoveHeader`
Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)

32
docs/content/middlewares/errorpages.md
View file

@ -20,19 +20,27 @@ labels:
- "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-errorpage
spec:
errors:
status:
- 500-599
service: serviceError
query: /{status}.html
```
```toml tab="File"
# Custom Error Page for 5XX
[http.routers]
[http.routers.router1]
Service = "my-service"
Rule = Host(`my-domain`)
[http.middlewares]
[http.middlewares.5XX-errors.Errors]
[http.middlewares.test-errorpage.Errors]
status = ["500-599"]
service = "error-handler-service"
query = "/error.html"
service = "serviceError"
query = "/{status}.html"
[http.services]
# ... definition of error-handler-service and my-service
```
@ -42,7 +50,7 @@ labels:
## Configuration Options
### status
### `status`
The `status` that will trigger the error page.
@ -52,10 +60,10 @@ The status code ranges are inclusive (`500-599` will trigger with every code bet
You can define either a status code like `500` or ranges with a syntax like `500-599`.
### service
### `service`
The service that will serve the new requested error page.
### query
### `query`
The URL for the error page (hosted by `service`). You can use `{status}` in the query, that will be replaced by the received status code.

57
docs/content/middlewares/forwardauth.md
View file

@ -11,21 +11,6 @@ Otherwise, the response from the authentication server is returned.
## Configuration Examples
```toml tab="File"
# Forward authentication to authserver.com
[http.middlewares]
[http.middlewares.test-auth.forwardauth]
address = "https://authserver.com/auth"
trustForwardHeader = true
authResponseHeaders = ["X-Auth-User", "X-Secret"]
[http.middlewares.test-auth.forwardauth.tls]
ca = "path/to/local.crt"
caOptional = true
cert = "path/to/foo.cert"
key = "path/to/foo.key"
```
```yaml tab="Docker"
# Forward authentication to authserver.com
labels:
@ -39,20 +24,54 @@ labels:
- "traefik.http.middlewares.test-auth.ForwardAuth.TrustForwardHeader=true"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
forwardAuth:
address: https://authserver.com/auth
trustForwardHeader: true
authResponseHeaders:
- X-Auth-User
- X-Secret
tls:
ca: path/to/local.crt
caOptional: true
cert: path/to/foo.cert
key: path/to/foo.key
```
```toml tab="File"
# Forward authentication to authserver.com
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://authserver.com/auth"
trustForwardHeader = true
authResponseHeaders = ["X-Auth-User", "X-Secret"]
[http.middlewares.test-auth.forwardauth.tls]
ca = "path/to/local.crt"
caOptional = true
cert = "path/to/foo.cert"
key = "path/to/foo.key"
```
## Configuration Options
### address
### `address`
The `address` option defines the authentication server address.
### trustForwardHeader
### `trustForwardHeader`
Set the `trustForwardHeader` option to true to trust all the existing X-Forwarded-* headers.
### authResponseHeaders
### `authResponseHeaders`
The `authResponseHeaders` option is the list of the headers to copy from the authentication server to the request.
### tls
### `tls`
The `tls` option is the tls configuration from Traefik to the authentication server.

58
docs/content/middlewares/headers.md
View file

@ -150,27 +150,27 @@ spec:
!!! note
The detailed documentation for the security headers can be found in [unrolled/secure](https://github.com/unrolled/secure#available-options).
### customRequestHeaders
### `customRequestHeaders`
The `customRequestHeaders` option lists the Header names and values to apply to the request.
### customResponseHeaders
### `customResponseHeaders`
The `customResponseHeaders` option lists the Header names and values to apply to the response.
### accessControlAllowCredentials
### `accessControlAllowCredentials`
The `accessControlAllowCredentials` indicates whether the request can include user credentials.
### accessControlAllowHeaders
### `accessControlAllowHeaders`
The `accessControlAllowHeaders` indicates which header field names can be used as part of the request.
### accessControlAllowMethods
### `accessControlAllowMethods`
The `accessControlAllowMethods` indicates which methods can be used during requests.
### accessControlAllowOrigin
### `accessControlAllowOrigin`
The `accessControlAllowOrigin` indicates whether a resource can be shared by returning different values. The three options for this value are:
@ -178,95 +178,95 @@ The `accessControlAllowOrigin` indicates whether a resource can be shared by ret
- `*`
- `null`
### accessControlExposeHeaders
### `accessControlExposeHeaders`
The `accessControlExposeHeaders` indicates which headers are safe to expose to the api of a CORS API specification.
### accessControlMaxAge
### `accessControlMaxAge`
The `accessControlMaxAge` indicates how long a preflight request can be cached.
### addVaryHeader
### `addVaryHeader`
The `addVaryHeader` is used in conjunction with `accessControlAllowOrigin` to determine whether the vary header should be added or modified to demonstrate that server responses can differ beased on the value of the origin header.
### allowedHosts
### `allowedHosts`
The `allowedHosts` option lists fully qualified domain names that are allowed.
### hostsProxyHeaders
### `hostsProxyHeaders`
The `hostsProxyHeaders` option is a set of header keys that may hold a proxied hostname value for the request.
### sslRedirect
### `sslRedirect`
The `sslRedirect` is set to true, then only allow https requests.
### sslTemporaryRedirect
### `sslTemporaryRedirect`
Set the `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301).
### sslHost
### `sslHost`
The `SSLHost` option is the host name that is used to redirect http requests to https.
### sslProxyHeaders
### `sslProxyHeaders`
The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid https request. Useful when using other proxies with header like: `"X-Forwarded-Proto": "https"`.
### sslForceHost
### `sslForceHost`
Set `sslForceHost` to true and set SSLHost to forced requests to use `SSLHost` even the ones that are already using SSL.
### stsSeconds
### `stsSeconds`
The `stsSeconds` is the max-age of the Strict-Transport-Security header. If set to 0, would NOT include the header.
### stsIncludeSubdomains
### `stsIncludeSubdomains`
The `stsIncludeSubdomains` is set to true, the `includeSubdomains` will be appended to the Strict-Transport-Security header.
### stsPreload
### `stsPreload`
Set `STSPreload` to true to have the `preload` flag appended to the Strict-Transport-Security header.
### forceSTSHeader
### `forceSTSHeader`
Set `ForceSTSHeader` to true, to add the STS header even when the connection is HTTP.
### frameDeny
### `frameDeny`
Set `frameDeny` to true to add the `X-Frame-Options` header with the value of `DENY`.
### customFrameOptionsValue
### `customFrameOptionsValue`
The `customFrameOptionsValue` allows the `X-Frame-Options` header value to be set with a custom value. This overrides the FrameDeny option.
### contentTypeNosniff
### `contentTypeNosniff`
Set `contentTypeNosniff` to true to add the `X-Content-Type-Options` header with the value `nosniff`.
### browserXssFilter
### `browserXssFilter`
Set `BrowserXssFilter` to true to add the `X-XSS-Protection` header with the value `1; mode=block`.
### customBrowserXSSValue
### `customBrowserXSSValue`
The `customBrowserXssValue` option allows the `X-XSS-Protection` header value to be set with a custom value. This overrides the BrowserXssFilter option.
### contentSecurityPolicy
### `contentSecurityPolicy`
The `contentSecurityPolicy` option allows the `Content-Security-Policy` header value to be set with a custom value.
### publicKey
### `publicKey`
The `publicKey` implements HPKP to prevent MITM attacks with forged certificates.
### referrerPolicy
### `referrerPolicy`
The `referrerPolicy` allows sites to control when browsers will pass the Referer header to other sites.
### isDevelopment
### `isDevelopment`
Set `isDevelopment` to true when developing. The AllowedHosts, SSL, and STS options can cause some unwanted effects. Usually testing happens on http, not https, and on localhost, not your production domain.
If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as false.

105
docs/content/middlewares/ipwhitelist.md
View file

@ -12,7 +12,19 @@ IPWhitelist accepts / refuses requests based on the client IP.
```yaml tab="Docker"
# Accepts request from defined IP
labels:
- "traefik.http.middlewares.Middleware9.IPWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipwhitelist.IPWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-ipwhitelist
spec:
ipWhiteList:
sourceRange:
- 127.0.0.1/32
- 192.168.1.7
```
```toml tab="File"
@ -24,19 +36,19 @@ labels:
## Configuration Options
### sourceRange
### `sourceRange`
The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs).
### ipStrategy
### `ipStrategy`
The `ipStrategy` option defines two parameters that sets how Traefik will determine the client IP: `depth`, and `excludedIPs`.
#### ipStrategy.depth
#### `ipStrategy.depth`
The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
!!! note "Examples of Depth & X-Forwaded-For"
!!! note "Examples of Depth & X-Forwarded-For"
If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting would be `"12.0.0.1"` (`depth=2`).
@ -47,10 +59,31 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1` | `"13.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3` | `"11.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` |
??? example "File -- Whitelisting Based on `X-Forwarded-For` with `depth=2`"
```toml
```yaml tab="Docker"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
labels:
- "traefik.http.middlewares.testIPwhitelist.ipWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
```
```yaml tab="Kubernetes"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: testIPwhitelist
spec:
ipWhiteList:
SourceRange:
- 127.0.0.1/32
- 192.168.1.7
ipstrategy:
depth: 2
```
```toml tab="File"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
[http.middlewares]
[http.middlewares.test-ipwhitelist.ipWhiteList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
@ -58,26 +91,16 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
depth = 2
```
??? example "Docker -- Whitelisting Based on `X-Forwarded-For` with `depth=2`"
```yml
a-container:
image: a-container-image
labels:
- "traefik.http.middlewares.testIPwhitelist.ipWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
```
!!! note
- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
- `depth` is ignored if its value is is lesser than or equal to 0.
#### ipStrategy.excludedIPs
#### `ipStrategy.excludedIPs`
`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
!!! note "Examples of ExcludedIPs & X-Forwaded-For"
!!! note "Examples of ExcludedIPs & X-Forwarded-For"
| `X-Forwarded-For` | `excludedIPs` | clientIP |
|-----------------------------------------|-----------------------|--------------|
@ -90,20 +113,30 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
!!! important
If `depth` is specified, `excludedIPs` is ignored.
??? example "File -- Exclude from `X-Forwarded-For`"
```yaml tab="Docker"
# Exclude from `X-Forwarded-For`
labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedIPs=127.0.0.1/32, 192.168.1.7"
```
```toml
[http.middlewares]
[http.middlewares.test-ipwhitelist.ipWhiteList]
[http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
```
```yaml tab="Kubernetes"
# Exclude from `X-Forwarded-For`
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-ipwhitelist
spec:
ipWhiteList:
ipstrategy:
excludedIPs:
- 127.0.0.1/32
- 192.168.1.7
```
??? example "Docker -- Exclude from `X-Forwarded-For`"
```yml
a-container:
image: a-container-image
labels:
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.excludedIPs=127.0.0.1/32, 192.168.1.7"
```
```toml tab="File"
# Exclude from `X-Forwarded-For`
[http.middlewares]
[http.middlewares.test-ipwhitelist.ipWhiteList]
[http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
```

12
docs/content/middlewares/maxconnection.md
View file

@ -15,6 +15,16 @@ labels:
- "traefik.http.middlewares.test-maxconn.maxconn.amount=10"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: addprefix
spec:
addPrefix:
prefix: /bar
```
```toml tab="File"
# Limiting to 10 simultaneous connections
[http.middlewares]
@ -24,7 +34,7 @@ labels:
## Configuration Options
### amount
### `amount`
The `amount` option defines the maximum amount of allowed simultaneous connections.
The middleware will return an `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `extractorfunc` strategy).

94
docs/content/middlewares/passtlsclientcert.md
View file

@ -14,7 +14,17 @@ Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
```yaml tab="Docker"
# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
labels:
- "traefik.http.middlewares.Middleware11.passtlsclientcert.pem=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: addprefix
spec:
passtlsclientcert:
pem: true
```
```toml tab="File"
@ -48,6 +58,36 @@ labels:
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
```
```yaml tab="Kubernetes"
# Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-passtlsclientcert
spec:
passtlsclientcert:
info:
notAfter: true
notBefore: true
sans: true
subject:
country: true
province: true
locality: true
organization: true
commonName: true
serialNumber: true
domainComponent: true
issuer:
country: true
province: true
locality: true
organization: true
commonName: true
serialNumber: true
domainComponent: true
```
```toml tab="File"
# Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
[http.middlewares]
@ -192,7 +232,7 @@ In the following example, you can see a complete certificate. We will use each p
-----END CERTIFICATE-----
```
### pem
### `pem`
The `pem` option sets the `X-Forwarded-Tls-Client-Cert` header with the escape certificate.
In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` delimiters :
@ -243,7 +283,7 @@ In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----E
The delimiters and `\n` will be removed.
If there are more than one certificate, they are separated by a "`;`".
### info
### `info`
The `info` option select the specific client certificate details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
The value of the header will be an escaped concatenation of all the selected certificate details.
@ -257,7 +297,7 @@ Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TO
If there are more than one certificate, they are separated by a `;`.
#### info.notafter
#### `info.notafter`
Set the `info.notafter` option to `true` to add the `Not After` information from the `Validity` part.
The data are taken from the following certificate part:
@ -273,7 +313,7 @@ The escape `notafter` info part will be like:
NA=1607166616
```
#### info.notbefore
#### `info.notbefore`
Set the `info.notafter` option to `true` to add the `Not Before` information from the `Validity` part.
@ -290,7 +330,7 @@ The escape `notafter` info part will be like:
NB=1544094616
```
#### info.sans
#### `info.sans`
Set the `info.sans` option to `true` to add the `Subject Alternative Name` information from the `Subject Alternative Name` part.
The data are taken from the following certificate part:
@ -310,7 +350,7 @@ SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.
All the SANs data are separated by a `,`.
#### info.subject
#### `info.subject`
The `info.subject` select the specific client certificate subject details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
@ -320,7 +360,7 @@ The data are taken from the following certificate part :
Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.cheese.org, CN=*.cheese.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@cheese.org/emailAddress=cert@scheese.com
```
##### info.subject.country
##### `info.subject.country`
Set the `info.subject.country` option to true to add the `country` information into the subject.
The data are taken from the subject part with the `C` key.
@ -330,7 +370,7 @@ The escape country info in the subject part will be like :
C=FR,C=US
```
##### info.subject.province
##### `info.subject.province`
Set the `info.subject.province` option to true to add the `province` information into the subject.
@ -342,7 +382,7 @@ The escape province info in the subject part will be like :
ST=Cheese org state,ST=Cheese com state
```
##### info.subject.locality
##### `info.subject.locality`
Set the `info.subject.locality` option to true to add the `locality` information into the subject.
@ -354,7 +394,7 @@ The escape locality info in the subject part will be like :
L=TOULOUSE,L=LYON
```
##### info.subject.organization
##### `info.subject.organization`
Set the `info.subject.organization` option to true to add the `organization` information into the subject.
@ -366,31 +406,31 @@ The escape organization info in the subject part will be like :
O=Cheese,O=Cheese 2
```
##### info.subject.commonname
##### `info.subject.commonname`
Set the `info.subject.commonname` option to true to add the `commonname` information into the subject.
The data are taken from the subject part with the `CN` key.
The escape commonname info in the subject part will be like :
The escape common name info in the subject part will be like :
```text
CN=*.cheese.com
```
##### info.subject.serialnumber
##### `info.subject.serialnumber`
Set the `info.subject.serialnumber` option to true to add the `serialnumber` information into the subject.
The data are taken from the subject part with the `SN` key.
The escape serialnumber info in the subject part will be like :
The escape serial number info in the subject part will be like :
```text
SN=1234567890
```
##### info.subject.domaincomponent
##### `info.subject.domaincomponent`
Set the `info.subject.domaincomponent` option to true to add the `domaincomponent` information into the subject.
@ -402,7 +442,7 @@ The escape domaincomponent info in the subject part will be like :
DC=org,DC=cheese
```
#### info.issuer
#### `info.issuer`
The `info.issuer` select the specific client certificate issuer details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
@ -412,7 +452,7 @@ The data are taken from the following certificate part :
Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=Simple Signing CA, CN=Simple Signing CA 2, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Signing State, ST=Signing State 2/emailAddress=simple@signing.com/emailAddress=simple2@signing.com
```
##### info.issuer.country
##### `info.issuer.country`
Set the `info.issuer.country` option to true to add the `country` information into the issuer.
The data are taken from the issuer part with the `C` key.
@ -422,7 +462,7 @@ The escape country info in the issuer part will be like :
C=FR,C=US
```
##### info.issuer.province
##### `info.issuer.province`
Set the `info.issuer.province` option to true to add the `province` information into the issuer.
@ -434,7 +474,7 @@ The escape province info in the issuer part will be like :
ST=Signing State,ST=Signing State 2
```
##### info.issuer.locality
##### `info.issuer.locality`
Set the `info.issuer.locality` option to true to add the `locality` information into the issuer.
@ -446,7 +486,7 @@ The escape locality info in the issuer part will be like :
L=TOULOUSE,L=LYON
```
##### info.issuer.organization
##### `info.issuer.organization`
Set the `info.issuer.organization` option to true to add the `organization` information into the issuer.
@ -458,37 +498,37 @@ The escape organization info in the issuer part will be like :
O=Cheese,O=Cheese 2
```
##### info.issuer.commonname
##### `info.issuer.commonname`
Set the `info.issuer.commonname` option to true to add the `commonname` information into the issuer.
The data are taken from the issuer part with the `CN` key.
The escape commonname info in the issuer part will be like :
The escape common name info in the issuer part will be like :
```text
CN=Simple Signing CA 2
```
##### info.issuer.serialnumber
##### `info.issuer.serialnumber`
Set the `info.issuer.serialnumber` option to true to add the `serialnumber` information into the issuer.
The data are taken from the issuer part with the `SN` key.
The escape serialnumber info in the issuer part will be like :
The escape serial number info in the issuer part will be like :
```text
SN=1234567890
```
##### info.issuer.domaincomponent
##### `info.issuer.domaincomponent`
Set the `info.issuer.domaincomponent` option to true to add the `domaincomponent` information into the issuer.
The data are taken from the issuer part with the `DC` key.
The escape domaincomponent info in the issuer part will be like :
The escape domain component info in the issuer part will be like :
```text
DC=org,DC=cheese

10
docs/content/middlewares/ratelimit.md
View file

@ -44,7 +44,7 @@ The RateLimit middleware ensures that services will receive a _fair_ number of r
## Configuration Options
### extractorfunc
### `extractorfunc`
The `extractorfunc` option defines the strategy used to categorize requests.
@ -54,12 +54,12 @@ The possible values are:
- `client.ip` categorizes requests based on the client ip.
- `request.header.ANY_HEADER` categorizes requests based on the provided `ANY_HEADER` value.
### ratelimit (multiple values)
### `ratelimit` (multiple values)
You can combine multiple ratelimit.
The ratelimit will trigger with the first reached limit.
You can combine multiple rate limits.
The rate limit will trigger with the first reached limit.
Each ratelimit has 3 options, `period`, `average`, and `burst`.
Each rate limit has 3 options, `period`, `average`, and `burst`.
The rate limit will allow an average of `average` requests every `period`, with a maximum of `burst` request on that period.

46
docs/content/middlewares/redirectregex.md
View file

@ -9,32 +9,40 @@ RegexRedirect redirect a request from an url to another with regex matching and
## Configuration Examples
??? example "File -- Redirect with domain replacement"
```yaml tab="Docker"
# Redirect with domain replacement
labels:
- "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
- "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$1"
```
```toml
[http.middlewares]
[http.middlewares.test-redirectregex.redirectregex]
regex = "^http://localhost/(.*)"
replacement = "http://mydomain/$1"
```
```yaml tab="Kubernetes"
# Redirect with domain replacement
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-redirectregex
spec:
redirectRegex:
regex: ^http://localhost/(.*)
replacement: http://mydomain/$1
```
??? example "Docker -- Redirect with domain replacement"
```yml
a-container:
image: a-container-image
labels:
- "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
- "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$1"
```
```toml tab="File"
# Redirect with domain replacement
[http.middlewares]
[http.middlewares.test-redirectregex.redirectregex]
regex = "^http://localhost/(.*)"
replacement = "http://mydomain/$1"
```
## Configuration Options
### permanent
### `permanent`
Set the `permanent` option to `true` to apply a permanent redirection.
### regex
### `regex`
The `Regex` option is the regular expression to match and capture elements form the request URL.
@ -46,7 +54,7 @@ The `Regex` option is the regular expression to match and capture elements form
Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
### replacement
### `replacement`
The `replacement` option defines how to modify the URl to have the new target URL.

41
docs/content/middlewares/redirectscheme.md
View file

@ -9,33 +9,40 @@ RegexRedirect redirect request from a scheme to another.
## Configuration Examples
??? example "File -- Redirect to https"
```yaml tab="Docker"
# Redirect to https
labels:
- "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
```
```toml
[http.middlewares]
[http.middlewares.test-redirectscheme.redirectscheme]
scheme = "https"
```
```yaml tab="Kubernetes"
# Redirect to https
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-redirectscheme
spec:
redirectScheme:
scheme: https
```
??? example "Docker -- Redirect to https"
```yml
a-container:
image: a-container-image
labels:
- "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
```
```toml tab="File"
# Redirect to https
[http.middlewares]
[http.middlewares.test-redirectscheme.redirectscheme]
scheme = "https"
```
## Configuration Options
### permanent
### `permanent`
Set the `permanent` option to `true` to apply a permanent redirection.
### scheme
### `scheme`
The `scheme` option defines the scheme of the new url.
### port
### `port`
The `port` option defines the port of the new url.

37
docs/content/middlewares/replacepath.md
View file

@ -9,23 +9,30 @@ Replace the path of the request url.
## Configuration Examples
??? example "File -- Replace the path by /foo"
```yaml tab="Docker"
# Replace the path by /foo
labels:
- "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
```
```toml
[http.middlewares]
[http.middlewares.test-replacepath.ReplacePath]
path = "/foo"
```
```yaml tab="Kubernetes"
# Replace the path by /foo
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-replacepath
spec:
replacePath:
path: /foo
```
??? example "Docker --Replace the path by /foo"
```toml tab="File"
# Replace the path by /foo
[http.middlewares]
[http.middlewares.test-replacepath.ReplacePath]
path = "/foo"
```
```yaml
a-container:
image: a-container-image
labels:
- "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
```
## Configuration Options
### General
@ -35,6 +42,6 @@ The ReplacePath middleware will:
* replace the actual path by the specified one.
* store the original path in a `X-Replaced-Path` header.
### path
### `path`
The `path` option defines the path to use as replacement in the request url.