Adds middlewares examples for k8s.
This commit is contained in:
parent
336135c392
commit
07d0eb9ae6
16 changed files with 552 additions and 261 deletions
|
@ -12,17 +12,18 @@ The AddPrefix middleware updates the URL Path of the request before forwarding i
|
||||||
```yaml tab="Docker"
|
```yaml tab="Docker"
|
||||||
# Prefixing with /foo
|
# Prefixing with /foo
|
||||||
labels:
|
labels:
|
||||||
- "traefik.http.middlewares.add-bar.addprefix.prefix=/foo"
|
- "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml tab="Kubernetes"
|
```yaml tab="Kubernetes"
|
||||||
|
# Prefixing with /foo
|
||||||
apiVersion: traefik.containo.us/v1alpha1
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
kind: Middleware
|
kind: Middleware
|
||||||
metadata:
|
metadata:
|
||||||
name: addprefix
|
name: add-foo
|
||||||
spec:
|
spec:
|
||||||
addprefix:
|
addPrefix:
|
||||||
prefix: /bar
|
prefix: /foo
|
||||||
```
|
```
|
||||||
|
|
||||||
```toml tab="File"
|
```toml tab="File"
|
||||||
|
@ -34,6 +35,6 @@ spec:
|
||||||
|
|
||||||
## Configuration Options
|
## Configuration Options
|
||||||
|
|
||||||
### prefix
|
### `prefix`
|
||||||
|
|
||||||
`prefix` is the string to add before the current path in the requested URL. It should include the leading slash (`/`).
|
`prefix` is the string to add before the current path in the requested URL. It should include the leading slash (`/`).
|
||||||
|
|
|
@ -12,15 +12,30 @@ The BasicAuth middleware is a quick way to restrict access to your services to k
|
||||||
```yaml tab="Docker"
|
```yaml tab="Docker"
|
||||||
# Declaring the user list
|
# Declaring the user list
|
||||||
labels:
|
labels:
|
||||||
- "traefik.http.middlewares.declared-users-only.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
|
- "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
|
||||||
|
```
|
||||||
|
|
||||||
|
```yaml tab="Kubernetes"
|
||||||
|
# Declaring the user list
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: test-auth
|
||||||
|
spec:
|
||||||
|
basicAuth:
|
||||||
|
users:
|
||||||
|
- test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
|
||||||
|
- test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
|
||||||
```
|
```
|
||||||
|
|
||||||
```toml tab="File"
|
```toml tab="File"
|
||||||
# Declaring the user list
|
# Declaring the user list
|
||||||
[http.middlewares]
|
[http.middlewares]
|
||||||
[http.middlewares.test-auth.basicauth]
|
[http.middlewares.test-auth.basicauth]
|
||||||
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
|
users = [
|
||||||
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
|
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
|
||||||
|
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
|
||||||
|
]
|
||||||
```
|
```
|
||||||
|
|
||||||
## Configuration Options
|
## Configuration Options
|
||||||
|
@ -33,7 +48,7 @@ Passwords must be encoded using MD5, SHA1, or BCrypt.
|
||||||
|
|
||||||
Use `htpasswd` to generate the passwords.
|
Use `htpasswd` to generate the passwords.
|
||||||
|
|
||||||
### users
|
### `users`
|
||||||
|
|
||||||
The `users` option is an array of authorized users. Each user will be declared using the `name:encoded-password` format.
|
The `users` option is an array of authorized users. Each user will be declared using the `name:encoded-password` format.
|
||||||
|
|
||||||
|
@ -41,7 +56,7 @@ The `users` option is an array of authorized users. Each user will be declared u
|
||||||
|
|
||||||
If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
|
If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
|
||||||
|
|
||||||
### usersFile
|
### `usersFile`
|
||||||
|
|
||||||
The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
|
The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
|
||||||
|
|
||||||
|
@ -58,22 +73,36 @@ The file content is a list of `name:encoded-password`.
|
||||||
|
|
||||||
If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
|
If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
|
||||||
|
|
||||||
### realm
|
### `realm`
|
||||||
|
|
||||||
You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.
|
You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.
|
||||||
|
|
||||||
### headerField
|
### `headerField`
|
||||||
|
|
||||||
You can customize the header field for the authenticated user using the `headerField`option.
|
You can customize the header field for the authenticated user using the `headerField`option.
|
||||||
|
|
||||||
??? example "File -- Passing Authenticated Users to Services Via Headers"
|
```yaml tab="Docker"
|
||||||
|
labels:
|
||||||
|
- "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"
|
||||||
|
```
|
||||||
|
|
||||||
```toml
|
```yaml tab="Kubernetes"
|
||||||
[http.middlewares.my-auth.basicauth]
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
usersFile = "path-to-file.ext"
|
kind: Middleware
|
||||||
headerField = "X-WebAuth-User" # header for the authenticated user
|
metadata:
|
||||||
```
|
name: my-auth
|
||||||
|
spec:
|
||||||
|
basicAuth:
|
||||||
|
# ...
|
||||||
|
headerField: X-WebAuth-User
|
||||||
|
```
|
||||||
|
|
||||||
### removeHeader
|
```toml tab="File"
|
||||||
|
[http.middlewares.my-auth.basicauth]
|
||||||
|
# ...
|
||||||
|
headerField = "X-WebAuth-User"
|
||||||
|
```
|
||||||
|
|
||||||
|
### `removeHeader`
|
||||||
|
|
||||||
Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
|
Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
|
||||||
|
|
|
@ -16,39 +16,50 @@ This can help services deal with large data (multipart/form-data for example), a
|
||||||
```yaml tab="Docker"
|
```yaml tab="Docker"
|
||||||
# Sets the maximum request body to 2Mb
|
# Sets the maximum request body to 2Mb
|
||||||
labels:
|
labels:
|
||||||
- "traefik.http.middlewares.2Mb-memory.buffering.maxRequestBodyBytes=250000"
|
- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=250000"
|
||||||
|
```
|
||||||
|
|
||||||
|
```yaml tab="Kubernetes"
|
||||||
|
# Sets the maximum request body to 2Mb
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: limit
|
||||||
|
spec:
|
||||||
|
buffering:
|
||||||
|
maxRequestBodyBytes: 250000
|
||||||
```
|
```
|
||||||
|
|
||||||
```toml tab="File"
|
```toml tab="File"
|
||||||
# Sets the maximum request body to 2Mb
|
# Sets the maximum request body to 2Mb
|
||||||
[http.middlewares]
|
[http.middlewares]
|
||||||
[http.middlewares.2Mb-limit.buffering]
|
[http.middlewares.limit.buffering]
|
||||||
maxRequestBodyBytes = 250000
|
maxRequestBodyBytes = 250000
|
||||||
```
|
```
|
||||||
|
|
||||||
## Configuration Options
|
## Configuration Options
|
||||||
|
|
||||||
### maxRequestBodyBytes
|
### `maxRequestBodyBytes`
|
||||||
|
|
||||||
With the `maxRequestBodyBytes` option, you can configure the maximum allowed body size for the request (in Bytes).
|
With the `maxRequestBodyBytes` option, you can configure the maximum allowed body size for the request (in Bytes).
|
||||||
|
|
||||||
If the request exceeds the allowed size, the request is not forwarded to the service and the client gets a `413 (Request Entity Too Large) response.
|
If the request exceeds the allowed size, the request is not forwarded to the service and the client gets a `413 (Request Entity Too Large) response.
|
||||||
|
|
||||||
### memRequestBodyBytes
|
### `memRequestBodyBytes`
|
||||||
|
|
||||||
You can configure a thresold (in Bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option.
|
You can configure a thresold (in Bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option.
|
||||||
|
|
||||||
### maxResponseBodyBytes
|
### `maxResponseBodyBytes`
|
||||||
|
|
||||||
With the `maxReesponseBodyBytes` option, you can configure the maximum allowed response size from the service (in Bytes).
|
With the `maxReesponseBodyBytes` option, you can configure the maximum allowed response size from the service (in Bytes).
|
||||||
|
|
||||||
If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `413 (Request Entity Too Large) response` instead.
|
If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `413 (Request Entity Too Large) response` instead.
|
||||||
|
|
||||||
### memResponseBodyBytes
|
### `memResponseBodyBytes`
|
||||||
|
|
||||||
You can configure a thresold (in Bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option.
|
You can configure a thresold (in Bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option.
|
||||||
|
|
||||||
### retryExpression
|
### `retryExpression`
|
||||||
|
|
||||||
You can have the Buffering middleware replay the request with the help of the `retryExpression` option.
|
You can have the Buffering middleware replay the request with the help of the `retryExpression` option.
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# Chain
|
# Chain
|
||||||
|
|
||||||
When One Isn't Enougth
|
When One Isn't Enough
|
||||||
{: .subtitle }
|
{: .subtitle }
|
||||||
|
|
||||||
![Chain](../assets/img/middleware/chain.png)
|
![Chain](../assets/img/middleware/chain.png)
|
||||||
|
@ -10,31 +10,104 @@ It makes reusing the same groups easier.
|
||||||
|
|
||||||
## Configuration Example
|
## Configuration Example
|
||||||
|
|
||||||
??? example "A Chain for WhiteList, BasicAuth, and HTTPS"
|
Example "A Chain for WhiteList, BasicAuth, and HTTPS"
|
||||||
|
|
||||||
```toml
|
```yaml tab="Docker"
|
||||||
# ...
|
labels:
|
||||||
[http.routers]
|
- "traefik.http.routers.router1.service=service1"
|
||||||
[http.routers.router1]
|
- "traefik.http.routers.router1.middlewares=secured"
|
||||||
service = "service1"
|
- "traefik.http.routers.router1.rule=Host(`mydomain`)"
|
||||||
middlewares = ["secured"]
|
- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
|
||||||
rule = "Host: mydomain"
|
- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
|
||||||
|
- "traefik.http.middlewares.https-only.schemeredirect.scheme=https"
|
||||||
|
- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
|
||||||
|
- "http.services.service1.loadbalancer.server.port=80"
|
||||||
|
```
|
||||||
|
|
||||||
[http.middlewares]
|
```yaml tab="Kubernetes"
|
||||||
[http.middlewares.secured.Chain]
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
middlewares = ["https-only", "known-ips", "auth-users"]
|
kind: IngressRoute
|
||||||
|
metadata:
|
||||||
|
name: test
|
||||||
|
namespace: default
|
||||||
|
|
||||||
[http.middlewares.auth-users.BasicAuth]
|
spec:
|
||||||
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
|
entryPoints:
|
||||||
[http.middlewares.https-only.SchemeRedirect]
|
- web
|
||||||
scheme = "https"
|
|
||||||
[http.middlewares.known-ips.ipWhiteList]
|
|
||||||
sourceRange = ["192.168.1.7", "x.x.x.x", "x.x.x.x"]
|
|
||||||
|
|
||||||
[http.services]
|
routes:
|
||||||
[http.services.service1]
|
- match: Host(`mydomain`)
|
||||||
[http.services.service1.LoadBalancer]
|
kind: Rule
|
||||||
[[http.services.service1.LoadBalancer.Servers]]
|
services:
|
||||||
URL = "http://127.0.0.1:80"
|
- name: whoami
|
||||||
Weight = 1
|
port: 80
|
||||||
```
|
middlewares:
|
||||||
|
- name: secured
|
||||||
|
---
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: secured
|
||||||
|
spec:
|
||||||
|
chain:
|
||||||
|
middlewares:
|
||||||
|
- https-only
|
||||||
|
- known-ips
|
||||||
|
- auth-users
|
||||||
|
---
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: auth-users
|
||||||
|
spec:
|
||||||
|
basicAuth:
|
||||||
|
users:
|
||||||
|
- test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
|
||||||
|
---
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: https-only
|
||||||
|
spec:
|
||||||
|
schemeRedirect:
|
||||||
|
scheme: https
|
||||||
|
---
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: known-ips
|
||||||
|
spec:
|
||||||
|
ipWhiteList:
|
||||||
|
sourceRange:
|
||||||
|
- 192.168.1.7
|
||||||
|
- 127.0.0.1/32
|
||||||
|
```
|
||||||
|
|
||||||
|
```toml tab="File"
|
||||||
|
# ...
|
||||||
|
[http.routers]
|
||||||
|
[http.routers.router1]
|
||||||
|
service = "service1"
|
||||||
|
middlewares = ["secured"]
|
||||||
|
rule = "Host(`mydomain`)"
|
||||||
|
|
||||||
|
[http.middlewares]
|
||||||
|
[http.middlewares.secured.Chain]
|
||||||
|
middlewares = ["https-only", "known-ips", "auth-users"]
|
||||||
|
|
||||||
|
[http.middlewares.auth-users.BasicAuth]
|
||||||
|
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
|
||||||
|
|
||||||
|
[http.middlewares.https-only.SchemeRedirect]
|
||||||
|
scheme = "https"
|
||||||
|
|
||||||
|
[http.middlewares.known-ips.ipWhiteList]
|
||||||
|
sourceRange = ["192.168.1.7", "127.0.0.1/32"]
|
||||||
|
|
||||||
|
[http.services]
|
||||||
|
[http.services.service1]
|
||||||
|
[http.services.service1.LoadBalancer]
|
||||||
|
[[http.services.service1.LoadBalancer.Servers]]
|
||||||
|
URL = "http://127.0.0.1:80"
|
||||||
|
Weight = 1
|
||||||
|
```
|
||||||
|
|
|
@ -29,10 +29,21 @@ labels:
|
||||||
- "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
|
- "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
```yaml tab="Kubernetes"
|
||||||
|
# Latency Check
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: latency-check
|
||||||
|
spec:
|
||||||
|
circuitBreaker:
|
||||||
|
expression: LatencyAtQuantileMS(50.0) > 100
|
||||||
|
```
|
||||||
|
|
||||||
```toml tab="File"
|
```toml tab="File"
|
||||||
# Latency Check
|
# Latency Check
|
||||||
[http.middlewares]
|
[http.middlewares]
|
||||||
[http.middlewares.latency-check.circuitbreaker]
|
[http.middlewares.latency-check.circuitBreaker]
|
||||||
expression = "LatencyAtQuantileMS(50.0) > 100"
|
expression = "LatencyAtQuantileMS(50.0) > 100"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -52,11 +63,14 @@ At specified intervals (`checkPeriod`), it will evaluate `expression` to decide
|
||||||
|
|
||||||
### Open
|
### Open
|
||||||
|
|
||||||
While open, the fallback mechanism takes over the normal service calls for a duration of `FallbackDuration`. After this duration, it will enter the recovering state.
|
While open, the fallback mechanism takes over the normal service calls for a duration of `FallbackDuration`.
|
||||||
|
After this duration, it will enter the recovering state.
|
||||||
|
|
||||||
### Recovering
|
### Recovering
|
||||||
|
|
||||||
While recovering, the circuit breaker will progressively send requests to your service again (in a linear way, for `RecoveryDuration`). If your service fails during recovery, the circuit breaker becomes open again. If the service operates normally during the whole recovering duration, then the circuit breaker returns to close.
|
While recovering, the circuit breaker will progressively send requests to your service again (in a linear way, for `RecoveryDuration`).
|
||||||
|
If your service fails during recovery, the circuit breaker becomes open again.
|
||||||
|
If the service operates normally during the whole recovering duration, then the circuit breaker returns to close.
|
||||||
|
|
||||||
## Configuration Options
|
## Configuration Options
|
||||||
|
|
||||||
|
@ -70,11 +84,11 @@ The `expression` can check three different metrics:
|
||||||
- The status code ratio (`ResponseCodeRatio`)
|
- The status code ratio (`ResponseCodeRatio`)
|
||||||
- The latency at quantile, in milliseconds (`LatencyAtQuantileMS`)
|
- The latency at quantile, in milliseconds (`LatencyAtQuantileMS`)
|
||||||
|
|
||||||
#### NetworkErrorRatio
|
#### `NetworkErrorRatio`
|
||||||
|
|
||||||
If you want the circuit breaker to trigger at a 30% ratio of network errors, the expression will be `NetworkErrorRatio() > 0.30`
|
If you want the circuit breaker to trigger at a 30% ratio of network errors, the expression will be `NetworkErrorRatio() > 0.30`
|
||||||
|
|
||||||
#### ResponseCodeRatio
|
#### `ResponseCodeRatio`
|
||||||
|
|
||||||
You can trigger the circuit breaker based on the ratio of a given range of status codes.
|
You can trigger the circuit breaker based on the ratio of a given range of status codes.
|
||||||
|
|
||||||
|
@ -89,11 +103,11 @@ The operation that will be computed is sum(`to` -> `from`) / sum (`dividedByFrom
|
||||||
|
|
||||||
For example, the expression `ResponseCodeRatio(500, 600, 0, 600) > 0.25` will trigger the circuit breaker if 25% of the requests returned a 5XX status (amongst the request that returned a status code from 0 to 5XX).
|
For example, the expression `ResponseCodeRatio(500, 600, 0, 600) > 0.25` will trigger the circuit breaker if 25% of the requests returned a 5XX status (amongst the request that returned a status code from 0 to 5XX).
|
||||||
|
|
||||||
#### LatencyAtQuantileMS
|
#### `LatencyAtQuantileMS`
|
||||||
|
|
||||||
You can trigger the circuit breaker when a given proportion of your requests become too slow.
|
You can trigger the circuit breaker when a given proportion of your requests become too slow.
|
||||||
|
|
||||||
For example, the expression `LatencyAtQuantileMS(50.0) > 100` will trigger the circuit breaker when the median lantency (quantile 50) reaches 100MS.
|
For example, the expression `LatencyAtQuantileMS(50.0) > 100` will trigger the circuit breaker when the median latency (quantile 50) reaches 100MS.
|
||||||
|
|
||||||
!!! Note
|
!!! Note
|
||||||
|
|
||||||
|
@ -106,7 +120,7 @@ You can combine multiple metrics using operators in your expression.
|
||||||
Supported operators are:
|
Supported operators are:
|
||||||
|
|
||||||
- AND (`&&`)
|
- AND (`&&`)
|
||||||
- OR (`||)
|
- OR (`||`)
|
||||||
|
|
||||||
For example, `ResponseCodeRatio(500, 600, 0, 600) > 0.30 || NetworkErrorRatio() > 0.10` triggers the circuit breaker when 30% of the requests return a 5XX status code, or when the ratio of network errors reaches 10%.
|
For example, `ResponseCodeRatio(500, 600, 0, 600) > 0.30 || NetworkErrorRatio() > 0.10` triggers the circuit breaker when 30% of the requests return a 5XX status code, or when the ratio of network errors reaches 10%.
|
||||||
|
|
||||||
|
@ -126,15 +140,15 @@ Here is the list of supported operators:
|
||||||
|
|
||||||
The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client (instead of calling the target service). This behavior cannot be configured.
|
The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client (instead of calling the target service). This behavior cannot be configured.
|
||||||
|
|
||||||
### CheckPeriod
|
### `CheckPeriod`
|
||||||
|
|
||||||
The interval used to evaluate `expression` and decide if the state of the circuit breaker must change. By default, `CheckPeriod` is 100Ms. This value cannot be configured.
|
The interval used to evaluate `expression` and decide if the state of the circuit breaker must change. By default, `CheckPeriod` is 100Ms. This value cannot be configured.
|
||||||
|
|
||||||
### FallbackDuration
|
### `FallbackDuration`
|
||||||
|
|
||||||
By default, `FallbackDuration` is 10 seconds. This value cannot be configured.
|
By default, `FallbackDuration` is 10 seconds. This value cannot be configured.
|
||||||
|
|
||||||
### RecoveringDuration
|
### `RecoveringDuration`
|
||||||
|
|
||||||
The duration of the recovering mode (recovering state).
|
The duration of the recovering mode (recovering state).
|
||||||
|
|
||||||
|
|
|
@ -11,14 +11,29 @@ The DigestAuth middleware is a quick way to restrict access to your services to
|
||||||
|
|
||||||
```yaml tab="Docker"
|
```yaml tab="Docker"
|
||||||
labels:
|
labels:
|
||||||
- "traefik.http.middlewares.declared-users-only.digestauth.usersFile=path-to-file.ext"
|
- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
|
||||||
|
```
|
||||||
|
|
||||||
|
```yaml tab="Kubernetes"
|
||||||
|
# Declaring the user list
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: test-auth
|
||||||
|
spec:
|
||||||
|
digestAuth:
|
||||||
|
users:
|
||||||
|
- test:traefik:a2688e031edb4be6a3797f3882655c05
|
||||||
|
- test2:traefik:518845800f9e2bfb1f1f740ec24f074e
|
||||||
```
|
```
|
||||||
|
|
||||||
```toml tab="File"
|
```toml tab="File"
|
||||||
[http.middlewares]
|
[http.middlewares]
|
||||||
[http.middlewares.test-auth.digestauth]
|
[http.middlewares.test-auth.digestAuth]
|
||||||
users = ["test:traefik:a2688e031edb4be6a3797f3882655c05",
|
users = [
|
||||||
"test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
|
"test:traefik:a2688e031edb4be6a3797f3882655c05",
|
||||||
|
"test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
|
||||||
|
]
|
||||||
```
|
```
|
||||||
|
|
||||||
!!! tip
|
!!! tip
|
||||||
|
@ -27,7 +42,7 @@ labels:
|
||||||
|
|
||||||
## Configuration Options
|
## Configuration Options
|
||||||
|
|
||||||
### Users
|
### `Users`
|
||||||
|
|
||||||
The `users` option is an array of authorized users. Each user will be declared using the `name:realm:encoded-password` format.
|
The `users` option is an array of authorized users. Each user will be declared using the `name:realm:encoded-password` format.
|
||||||
|
|
||||||
|
@ -35,7 +50,7 @@ The `users` option is an array of authorized users. Each user will be declared u
|
||||||
|
|
||||||
If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
|
If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
|
||||||
|
|
||||||
### UsersFile
|
### `UsersFile`
|
||||||
|
|
||||||
The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
|
The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
|
||||||
|
|
||||||
|
@ -52,22 +67,38 @@ The file content is a list of `name:realm:encoded-password`.
|
||||||
|
|
||||||
If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
|
If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
|
||||||
|
|
||||||
### Realm
|
### `Realm`
|
||||||
|
|
||||||
You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.
|
You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.
|
||||||
|
|
||||||
### HeaderField
|
### `HeaderField`
|
||||||
|
|
||||||
You can customize the header field for the authenticated user using the `headerField`option.
|
You can customize the header field for the authenticated user using the `headerField`option.
|
||||||
|
|
||||||
??? example "File -- Passing Authenticated Users to Services Via Headers"
|
Example "File -- Passing Authenticated User to Services Via Headers"
|
||||||
|
|
||||||
```toml
|
```yaml tab="Docker"
|
||||||
[http.middlewares.my-auth.digestauth]
|
labels:
|
||||||
usersFile = "path-to-file.ext"
|
- "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
|
||||||
headerField = "X-WebAuth-User" # header for the authenticated user
|
```
|
||||||
```
|
|
||||||
|
|
||||||
### RemoveHeader
|
```yaml tab="Kubernetes"
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: my-auth
|
||||||
|
spec:
|
||||||
|
digestAuth:
|
||||||
|
# ...
|
||||||
|
headerField: X-WebAuth-User
|
||||||
|
```
|
||||||
|
|
||||||
|
```toml tab="File"
|
||||||
|
[http.middlewares.my-auth.digestAuth]
|
||||||
|
# ...
|
||||||
|
headerField = "X-WebAuth-User"
|
||||||
|
```
|
||||||
|
|
||||||
|
### `RemoveHeader`
|
||||||
|
|
||||||
Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
|
Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
|
||||||
|
|
|
@ -20,18 +20,26 @@ labels:
|
||||||
- "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
|
- "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
```yaml tab="Kubernetes"
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: test-errorpage
|
||||||
|
spec:
|
||||||
|
errors:
|
||||||
|
status:
|
||||||
|
- 500-599
|
||||||
|
service: serviceError
|
||||||
|
query: /{status}.html
|
||||||
|
```
|
||||||
|
|
||||||
```toml tab="File"
|
```toml tab="File"
|
||||||
# Custom Error Page for 5XX
|
# Custom Error Page for 5XX
|
||||||
[http.routers]
|
|
||||||
[http.routers.router1]
|
|
||||||
Service = "my-service"
|
|
||||||
Rule = Host(`my-domain`)
|
|
||||||
|
|
||||||
[http.middlewares]
|
[http.middlewares]
|
||||||
[http.middlewares.5XX-errors.Errors]
|
[http.middlewares.test-errorpage.Errors]
|
||||||
status = ["500-599"]
|
status = ["500-599"]
|
||||||
service = "error-handler-service"
|
service = "serviceError"
|
||||||
query = "/error.html"
|
query = "/{status}.html"
|
||||||
|
|
||||||
[http.services]
|
[http.services]
|
||||||
# ... definition of error-handler-service and my-service
|
# ... definition of error-handler-service and my-service
|
||||||
|
@ -42,7 +50,7 @@ labels:
|
||||||
|
|
||||||
## Configuration Options
|
## Configuration Options
|
||||||
|
|
||||||
### status
|
### `status`
|
||||||
|
|
||||||
The `status` that will trigger the error page.
|
The `status` that will trigger the error page.
|
||||||
|
|
||||||
|
@ -52,10 +60,10 @@ The status code ranges are inclusive (`500-599` will trigger with every code bet
|
||||||
|
|
||||||
You can define either a status code like `500` or ranges with a syntax like `500-599`.
|
You can define either a status code like `500` or ranges with a syntax like `500-599`.
|
||||||
|
|
||||||
### service
|
### `service`
|
||||||
|
|
||||||
The service that will serve the new requested error page.
|
The service that will serve the new requested error page.
|
||||||
|
|
||||||
### query
|
### `query`
|
||||||
|
|
||||||
The URL for the error page (hosted by `service`). You can use `{status}` in the query, that will be replaced by the received status code.
|
The URL for the error page (hosted by `service`). You can use `{status}` in the query, that will be replaced by the received status code.
|
||||||
|
|
|
@ -11,21 +11,6 @@ Otherwise, the response from the authentication server is returned.
|
||||||
|
|
||||||
## Configuration Examples
|
## Configuration Examples
|
||||||
|
|
||||||
```toml tab="File"
|
|
||||||
# Forward authentication to authserver.com
|
|
||||||
[http.middlewares]
|
|
||||||
[http.middlewares.test-auth.forwardauth]
|
|
||||||
address = "https://authserver.com/auth"
|
|
||||||
trustForwardHeader = true
|
|
||||||
authResponseHeaders = ["X-Auth-User", "X-Secret"]
|
|
||||||
|
|
||||||
[http.middlewares.test-auth.forwardauth.tls]
|
|
||||||
ca = "path/to/local.crt"
|
|
||||||
caOptional = true
|
|
||||||
cert = "path/to/foo.cert"
|
|
||||||
key = "path/to/foo.key"
|
|
||||||
```
|
|
||||||
|
|
||||||
```yaml tab="Docker"
|
```yaml tab="Docker"
|
||||||
# Forward authentication to authserver.com
|
# Forward authentication to authserver.com
|
||||||
labels:
|
labels:
|
||||||
|
@ -39,20 +24,54 @@ labels:
|
||||||
- "traefik.http.middlewares.test-auth.ForwardAuth.TrustForwardHeader=true"
|
- "traefik.http.middlewares.test-auth.ForwardAuth.TrustForwardHeader=true"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
```yaml tab="Kubernetes"
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: test-auth
|
||||||
|
spec:
|
||||||
|
forwardAuth:
|
||||||
|
address: https://authserver.com/auth
|
||||||
|
trustForwardHeader: true
|
||||||
|
authResponseHeaders:
|
||||||
|
- X-Auth-User
|
||||||
|
- X-Secret
|
||||||
|
tls:
|
||||||
|
ca: path/to/local.crt
|
||||||
|
caOptional: true
|
||||||
|
cert: path/to/foo.cert
|
||||||
|
key: path/to/foo.key
|
||||||
|
```
|
||||||
|
|
||||||
|
```toml tab="File"
|
||||||
|
# Forward authentication to authserver.com
|
||||||
|
[http.middlewares]
|
||||||
|
[http.middlewares.test-auth.forwardAuth]
|
||||||
|
address = "https://authserver.com/auth"
|
||||||
|
trustForwardHeader = true
|
||||||
|
authResponseHeaders = ["X-Auth-User", "X-Secret"]
|
||||||
|
|
||||||
|
[http.middlewares.test-auth.forwardauth.tls]
|
||||||
|
ca = "path/to/local.crt"
|
||||||
|
caOptional = true
|
||||||
|
cert = "path/to/foo.cert"
|
||||||
|
key = "path/to/foo.key"
|
||||||
|
```
|
||||||
|
|
||||||
## Configuration Options
|
## Configuration Options
|
||||||
|
|
||||||
### address
|
### `address`
|
||||||
|
|
||||||
The `address` option defines the authentication server address.
|
The `address` option defines the authentication server address.
|
||||||
|
|
||||||
### trustForwardHeader
|
### `trustForwardHeader`
|
||||||
|
|
||||||
Set the `trustForwardHeader` option to true to trust all the existing X-Forwarded-* headers.
|
Set the `trustForwardHeader` option to true to trust all the existing X-Forwarded-* headers.
|
||||||
|
|
||||||
### authResponseHeaders
|
### `authResponseHeaders`
|
||||||
|
|
||||||
The `authResponseHeaders` option is the list of the headers to copy from the authentication server to the request.
|
The `authResponseHeaders` option is the list of the headers to copy from the authentication server to the request.
|
||||||
|
|
||||||
### tls
|
### `tls`
|
||||||
|
|
||||||
The `tls` option is the tls configuration from Traefik to the authentication server.
|
The `tls` option is the tls configuration from Traefik to the authentication server.
|
||||||
|
|
|
@ -150,27 +150,27 @@ spec:
|
||||||
!!! note
|
!!! note
|
||||||
The detailed documentation for the security headers can be found in [unrolled/secure](https://github.com/unrolled/secure#available-options).
|
The detailed documentation for the security headers can be found in [unrolled/secure](https://github.com/unrolled/secure#available-options).
|
||||||
|
|
||||||
### customRequestHeaders
|
### `customRequestHeaders`
|
||||||
|
|
||||||
The `customRequestHeaders` option lists the Header names and values to apply to the request.
|
The `customRequestHeaders` option lists the Header names and values to apply to the request.
|
||||||
|
|
||||||
### customResponseHeaders
|
### `customResponseHeaders`
|
||||||
|
|
||||||
The `customResponseHeaders` option lists the Header names and values to apply to the response.
|
The `customResponseHeaders` option lists the Header names and values to apply to the response.
|
||||||
|
|
||||||
### accessControlAllowCredentials
|
### `accessControlAllowCredentials`
|
||||||
|
|
||||||
The `accessControlAllowCredentials` indicates whether the request can include user credentials.
|
The `accessControlAllowCredentials` indicates whether the request can include user credentials.
|
||||||
|
|
||||||
### accessControlAllowHeaders
|
### `accessControlAllowHeaders`
|
||||||
|
|
||||||
The `accessControlAllowHeaders` indicates which header field names can be used as part of the request.
|
The `accessControlAllowHeaders` indicates which header field names can be used as part of the request.
|
||||||
|
|
||||||
### accessControlAllowMethods
|
### `accessControlAllowMethods`
|
||||||
|
|
||||||
The `accessControlAllowMethods` indicates which methods can be used during requests.
|
The `accessControlAllowMethods` indicates which methods can be used during requests.
|
||||||
|
|
||||||
### accessControlAllowOrigin
|
### `accessControlAllowOrigin`
|
||||||
|
|
||||||
The `accessControlAllowOrigin` indicates whether a resource can be shared by returning different values. The three options for this value are:
|
The `accessControlAllowOrigin` indicates whether a resource can be shared by returning different values. The three options for this value are:
|
||||||
|
|
||||||
|
@ -178,95 +178,95 @@ The `accessControlAllowOrigin` indicates whether a resource can be shared by ret
|
||||||
- `*`
|
- `*`
|
||||||
- `null`
|
- `null`
|
||||||
|
|
||||||
### accessControlExposeHeaders
|
### `accessControlExposeHeaders`
|
||||||
|
|
||||||
The `accessControlExposeHeaders` indicates which headers are safe to expose to the api of a CORS API specification.
|
The `accessControlExposeHeaders` indicates which headers are safe to expose to the api of a CORS API specification.
|
||||||
|
|
||||||
### accessControlMaxAge
|
### `accessControlMaxAge`
|
||||||
|
|
||||||
The `accessControlMaxAge` indicates how long a preflight request can be cached.
|
The `accessControlMaxAge` indicates how long a preflight request can be cached.
|
||||||
|
|
||||||
### addVaryHeader
|
### `addVaryHeader`
|
||||||
|
|
||||||
The `addVaryHeader` is used in conjunction with `accessControlAllowOrigin` to determine whether the vary header should be added or modified to demonstrate that server responses can differ beased on the value of the origin header.
|
The `addVaryHeader` is used in conjunction with `accessControlAllowOrigin` to determine whether the vary header should be added or modified to demonstrate that server responses can differ beased on the value of the origin header.
|
||||||
|
|
||||||
### allowedHosts
|
### `allowedHosts`
|
||||||
|
|
||||||
The `allowedHosts` option lists fully qualified domain names that are allowed.
|
The `allowedHosts` option lists fully qualified domain names that are allowed.
|
||||||
|
|
||||||
### hostsProxyHeaders
|
### `hostsProxyHeaders`
|
||||||
|
|
||||||
The `hostsProxyHeaders` option is a set of header keys that may hold a proxied hostname value for the request.
|
The `hostsProxyHeaders` option is a set of header keys that may hold a proxied hostname value for the request.
|
||||||
|
|
||||||
### sslRedirect
|
### `sslRedirect`
|
||||||
|
|
||||||
The `sslRedirect` is set to true, then only allow https requests.
|
The `sslRedirect` is set to true, then only allow https requests.
|
||||||
|
|
||||||
### sslTemporaryRedirect
|
### `sslTemporaryRedirect`
|
||||||
|
|
||||||
Set the `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301).
|
Set the `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301).
|
||||||
|
|
||||||
### sslHost
|
### `sslHost`
|
||||||
|
|
||||||
The `SSLHost` option is the host name that is used to redirect http requests to https.
|
The `SSLHost` option is the host name that is used to redirect http requests to https.
|
||||||
|
|
||||||
### sslProxyHeaders
|
### `sslProxyHeaders`
|
||||||
|
|
||||||
The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid https request. Useful when using other proxies with header like: `"X-Forwarded-Proto": "https"`.
|
The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid https request. Useful when using other proxies with header like: `"X-Forwarded-Proto": "https"`.
|
||||||
|
|
||||||
### sslForceHost
|
### `sslForceHost`
|
||||||
|
|
||||||
Set `sslForceHost` to true and set SSLHost to forced requests to use `SSLHost` even the ones that are already using SSL.
|
Set `sslForceHost` to true and set SSLHost to forced requests to use `SSLHost` even the ones that are already using SSL.
|
||||||
|
|
||||||
### stsSeconds
|
### `stsSeconds`
|
||||||
|
|
||||||
The `stsSeconds` is the max-age of the Strict-Transport-Security header. If set to 0, would NOT include the header.
|
The `stsSeconds` is the max-age of the Strict-Transport-Security header. If set to 0, would NOT include the header.
|
||||||
|
|
||||||
### stsIncludeSubdomains
|
### `stsIncludeSubdomains`
|
||||||
|
|
||||||
The `stsIncludeSubdomains` is set to true, the `includeSubdomains` will be appended to the Strict-Transport-Security header.
|
The `stsIncludeSubdomains` is set to true, the `includeSubdomains` will be appended to the Strict-Transport-Security header.
|
||||||
|
|
||||||
### stsPreload
|
### `stsPreload`
|
||||||
|
|
||||||
Set `STSPreload` to true to have the `preload` flag appended to the Strict-Transport-Security header.
|
Set `STSPreload` to true to have the `preload` flag appended to the Strict-Transport-Security header.
|
||||||
|
|
||||||
### forceSTSHeader
|
### `forceSTSHeader`
|
||||||
|
|
||||||
Set `ForceSTSHeader` to true, to add the STS header even when the connection is HTTP.
|
Set `ForceSTSHeader` to true, to add the STS header even when the connection is HTTP.
|
||||||
|
|
||||||
### frameDeny
|
### `frameDeny`
|
||||||
|
|
||||||
Set `frameDeny` to true to add the `X-Frame-Options` header with the value of `DENY`.
|
Set `frameDeny` to true to add the `X-Frame-Options` header with the value of `DENY`.
|
||||||
|
|
||||||
### customFrameOptionsValue
|
### `customFrameOptionsValue`
|
||||||
|
|
||||||
The `customFrameOptionsValue` allows the `X-Frame-Options` header value to be set with a custom value. This overrides the FrameDeny option.
|
The `customFrameOptionsValue` allows the `X-Frame-Options` header value to be set with a custom value. This overrides the FrameDeny option.
|
||||||
|
|
||||||
### contentTypeNosniff
|
### `contentTypeNosniff`
|
||||||
|
|
||||||
Set `contentTypeNosniff` to true to add the `X-Content-Type-Options` header with the value `nosniff`.
|
Set `contentTypeNosniff` to true to add the `X-Content-Type-Options` header with the value `nosniff`.
|
||||||
|
|
||||||
### browserXssFilter
|
### `browserXssFilter`
|
||||||
|
|
||||||
Set `BrowserXssFilter` to true to add the `X-XSS-Protection` header with the value `1; mode=block`.
|
Set `BrowserXssFilter` to true to add the `X-XSS-Protection` header with the value `1; mode=block`.
|
||||||
|
|
||||||
### customBrowserXSSValue
|
### `customBrowserXSSValue`
|
||||||
|
|
||||||
The `customBrowserXssValue` option allows the `X-XSS-Protection` header value to be set with a custom value. This overrides the BrowserXssFilter option.
|
The `customBrowserXssValue` option allows the `X-XSS-Protection` header value to be set with a custom value. This overrides the BrowserXssFilter option.
|
||||||
|
|
||||||
### contentSecurityPolicy
|
### `contentSecurityPolicy`
|
||||||
|
|
||||||
The `contentSecurityPolicy` option allows the `Content-Security-Policy` header value to be set with a custom value.
|
The `contentSecurityPolicy` option allows the `Content-Security-Policy` header value to be set with a custom value.
|
||||||
|
|
||||||
### publicKey
|
### `publicKey`
|
||||||
|
|
||||||
The `publicKey` implements HPKP to prevent MITM attacks with forged certificates.
|
The `publicKey` implements HPKP to prevent MITM attacks with forged certificates.
|
||||||
|
|
||||||
### referrerPolicy
|
### `referrerPolicy`
|
||||||
|
|
||||||
The `referrerPolicy` allows sites to control when browsers will pass the Referer header to other sites.
|
The `referrerPolicy` allows sites to control when browsers will pass the Referer header to other sites.
|
||||||
|
|
||||||
### isDevelopment
|
### `isDevelopment`
|
||||||
|
|
||||||
Set `isDevelopment` to true when developing. The AllowedHosts, SSL, and STS options can cause some unwanted effects. Usually testing happens on http, not https, and on localhost, not your production domain.
|
Set `isDevelopment` to true when developing. The AllowedHosts, SSL, and STS options can cause some unwanted effects. Usually testing happens on http, not https, and on localhost, not your production domain.
|
||||||
If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as false.
|
If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as false.
|
||||||
|
|
|
@ -12,7 +12,19 @@ IPWhitelist accepts / refuses requests based on the client IP.
|
||||||
```yaml tab="Docker"
|
```yaml tab="Docker"
|
||||||
# Accepts request from defined IP
|
# Accepts request from defined IP
|
||||||
labels:
|
labels:
|
||||||
- "traefik.http.middlewares.Middleware9.IPWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
|
- "traefik.http.middlewares.test-ipwhitelist.IPWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
|
||||||
|
```
|
||||||
|
|
||||||
|
```yaml tab="Kubernetes"
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: test-ipwhitelist
|
||||||
|
spec:
|
||||||
|
ipWhiteList:
|
||||||
|
sourceRange:
|
||||||
|
- 127.0.0.1/32
|
||||||
|
- 192.168.1.7
|
||||||
```
|
```
|
||||||
|
|
||||||
```toml tab="File"
|
```toml tab="File"
|
||||||
|
@ -24,19 +36,19 @@ labels:
|
||||||
|
|
||||||
## Configuration Options
|
## Configuration Options
|
||||||
|
|
||||||
### sourceRange
|
### `sourceRange`
|
||||||
|
|
||||||
The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs).
|
The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs).
|
||||||
|
|
||||||
### ipStrategy
|
### `ipStrategy`
|
||||||
|
|
||||||
The `ipStrategy` option defines two parameters that sets how Traefik will determine the client IP: `depth`, and `excludedIPs`.
|
The `ipStrategy` option defines two parameters that sets how Traefik will determine the client IP: `depth`, and `excludedIPs`.
|
||||||
|
|
||||||
#### ipStrategy.depth
|
#### `ipStrategy.depth`
|
||||||
|
|
||||||
The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
|
The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
|
||||||
|
|
||||||
!!! note "Examples of Depth & X-Forwaded-For"
|
!!! note "Examples of Depth & X-Forwarded-For"
|
||||||
|
|
||||||
If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting would be `"12.0.0.1"` (`depth=2`).
|
If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting would be `"12.0.0.1"` (`depth=2`).
|
||||||
|
|
||||||
|
@ -48,9 +60,30 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
|
||||||
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3` | `"11.0.0.1"` |
|
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3` | `"11.0.0.1"` |
|
||||||
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` |
|
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` |
|
||||||
|
|
||||||
??? example "File -- Whitelisting Based on `X-Forwarded-For` with `depth=2`"
|
```yaml tab="Docker"
|
||||||
|
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
|
||||||
|
labels:
|
||||||
|
- "traefik.http.middlewares.testIPwhitelist.ipWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
|
||||||
|
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
|
||||||
|
```
|
||||||
|
|
||||||
```toml
|
```yaml tab="Kubernetes"
|
||||||
|
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: testIPwhitelist
|
||||||
|
spec:
|
||||||
|
ipWhiteList:
|
||||||
|
SourceRange:
|
||||||
|
- 127.0.0.1/32
|
||||||
|
- 192.168.1.7
|
||||||
|
ipstrategy:
|
||||||
|
depth: 2
|
||||||
|
```
|
||||||
|
|
||||||
|
```toml tab="File"
|
||||||
|
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
|
||||||
[http.middlewares]
|
[http.middlewares]
|
||||||
[http.middlewares.test-ipwhitelist.ipWhiteList]
|
[http.middlewares.test-ipwhitelist.ipWhiteList]
|
||||||
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
|
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
|
||||||
|
@ -58,26 +91,16 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
|
||||||
depth = 2
|
depth = 2
|
||||||
```
|
```
|
||||||
|
|
||||||
??? example "Docker -- Whitelisting Based on `X-Forwarded-For` with `depth=2`"
|
|
||||||
|
|
||||||
```yml
|
|
||||||
a-container:
|
|
||||||
image: a-container-image
|
|
||||||
labels:
|
|
||||||
- "traefik.http.middlewares.testIPwhitelist.ipWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
|
|
||||||
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! note
|
!!! note
|
||||||
|
|
||||||
- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
|
- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
|
||||||
- `depth` is ignored if its value is is lesser than or equal to 0.
|
- `depth` is ignored if its value is is lesser than or equal to 0.
|
||||||
|
|
||||||
#### ipStrategy.excludedIPs
|
#### `ipStrategy.excludedIPs`
|
||||||
|
|
||||||
`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
|
`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
|
||||||
|
|
||||||
!!! note "Examples of ExcludedIPs & X-Forwaded-For"
|
!!! note "Examples of ExcludedIPs & X-Forwarded-For"
|
||||||
|
|
||||||
| `X-Forwarded-For` | `excludedIPs` | clientIP |
|
| `X-Forwarded-For` | `excludedIPs` | clientIP |
|
||||||
|-----------------------------------------|-----------------------|--------------|
|
|-----------------------------------------|-----------------------|--------------|
|
||||||
|
@ -90,20 +113,30 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
|
||||||
!!! important
|
!!! important
|
||||||
If `depth` is specified, `excludedIPs` is ignored.
|
If `depth` is specified, `excludedIPs` is ignored.
|
||||||
|
|
||||||
??? example "File -- Exclude from `X-Forwarded-For`"
|
```yaml tab="Docker"
|
||||||
|
# Exclude from `X-Forwarded-For`
|
||||||
|
labels:
|
||||||
|
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedIPs=127.0.0.1/32, 192.168.1.7"
|
||||||
|
```
|
||||||
|
|
||||||
```toml
|
```yaml tab="Kubernetes"
|
||||||
[http.middlewares]
|
# Exclude from `X-Forwarded-For`
|
||||||
[http.middlewares.test-ipwhitelist.ipWhiteList]
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
[http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
|
kind: Middleware
|
||||||
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
|
metadata:
|
||||||
```
|
name: test-ipwhitelist
|
||||||
|
spec:
|
||||||
|
ipWhiteList:
|
||||||
|
ipstrategy:
|
||||||
|
excludedIPs:
|
||||||
|
- 127.0.0.1/32
|
||||||
|
- 192.168.1.7
|
||||||
|
```
|
||||||
|
|
||||||
??? example "Docker -- Exclude from `X-Forwarded-For`"
|
```toml tab="File"
|
||||||
|
# Exclude from `X-Forwarded-For`
|
||||||
```yml
|
[http.middlewares]
|
||||||
a-container:
|
[http.middlewares.test-ipwhitelist.ipWhiteList]
|
||||||
image: a-container-image
|
[http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
|
||||||
labels:
|
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
|
||||||
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.excludedIPs=127.0.0.1/32, 192.168.1.7"
|
```
|
||||||
```
|
|
||||||
|
|
|
@ -15,6 +15,16 @@ labels:
|
||||||
- "traefik.http.middlewares.test-maxconn.maxconn.amount=10"
|
- "traefik.http.middlewares.test-maxconn.maxconn.amount=10"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
```yaml tab="Kubernetes"
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: addprefix
|
||||||
|
spec:
|
||||||
|
addPrefix:
|
||||||
|
prefix: /bar
|
||||||
|
```
|
||||||
|
|
||||||
```toml tab="File"
|
```toml tab="File"
|
||||||
# Limiting to 10 simultaneous connections
|
# Limiting to 10 simultaneous connections
|
||||||
[http.middlewares]
|
[http.middlewares]
|
||||||
|
@ -24,7 +34,7 @@ labels:
|
||||||
|
|
||||||
## Configuration Options
|
## Configuration Options
|
||||||
|
|
||||||
### amount
|
### `amount`
|
||||||
|
|
||||||
The `amount` option defines the maximum amount of allowed simultaneous connections.
|
The `amount` option defines the maximum amount of allowed simultaneous connections.
|
||||||
The middleware will return an `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `extractorfunc` strategy).
|
The middleware will return an `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `extractorfunc` strategy).
|
||||||
|
|
|
@ -14,7 +14,17 @@ Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
|
||||||
```yaml tab="Docker"
|
```yaml tab="Docker"
|
||||||
# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
|
# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
|
||||||
labels:
|
labels:
|
||||||
- "traefik.http.middlewares.Middleware11.passtlsclientcert.pem=true"
|
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
|
||||||
|
```
|
||||||
|
|
||||||
|
```yaml tab="Kubernetes"
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: addprefix
|
||||||
|
spec:
|
||||||
|
passtlsclientcert:
|
||||||
|
pem: true
|
||||||
```
|
```
|
||||||
|
|
||||||
```toml tab="File"
|
```toml tab="File"
|
||||||
|
@ -48,6 +58,36 @@ labels:
|
||||||
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
|
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
```yaml tab="Kubernetes"
|
||||||
|
# Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: test-passtlsclientcert
|
||||||
|
spec:
|
||||||
|
passtlsclientcert:
|
||||||
|
info:
|
||||||
|
notAfter: true
|
||||||
|
notBefore: true
|
||||||
|
sans: true
|
||||||
|
subject:
|
||||||
|
country: true
|
||||||
|
province: true
|
||||||
|
locality: true
|
||||||
|
organization: true
|
||||||
|
commonName: true
|
||||||
|
serialNumber: true
|
||||||
|
domainComponent: true
|
||||||
|
issuer:
|
||||||
|
country: true
|
||||||
|
province: true
|
||||||
|
locality: true
|
||||||
|
organization: true
|
||||||
|
commonName: true
|
||||||
|
serialNumber: true
|
||||||
|
domainComponent: true
|
||||||
|
```
|
||||||
|
|
||||||
```toml tab="File"
|
```toml tab="File"
|
||||||
# Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
|
# Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
|
||||||
[http.middlewares]
|
[http.middlewares]
|
||||||
|
@ -192,7 +232,7 @@ In the following example, you can see a complete certificate. We will use each p
|
||||||
-----END CERTIFICATE-----
|
-----END CERTIFICATE-----
|
||||||
```
|
```
|
||||||
|
|
||||||
### pem
|
### `pem`
|
||||||
|
|
||||||
The `pem` option sets the `X-Forwarded-Tls-Client-Cert` header with the escape certificate.
|
The `pem` option sets the `X-Forwarded-Tls-Client-Cert` header with the escape certificate.
|
||||||
In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` delimiters :
|
In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` delimiters :
|
||||||
|
@ -243,7 +283,7 @@ In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----E
|
||||||
The delimiters and `\n` will be removed.
|
The delimiters and `\n` will be removed.
|
||||||
If there are more than one certificate, they are separated by a "`;`".
|
If there are more than one certificate, they are separated by a "`;`".
|
||||||
|
|
||||||
### info
|
### `info`
|
||||||
|
|
||||||
The `info` option select the specific client certificate details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
|
The `info` option select the specific client certificate details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
|
||||||
The value of the header will be an escaped concatenation of all the selected certificate details.
|
The value of the header will be an escaped concatenation of all the selected certificate details.
|
||||||
|
@ -257,7 +297,7 @@ Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TO
|
||||||
|
|
||||||
If there are more than one certificate, they are separated by a `;`.
|
If there are more than one certificate, they are separated by a `;`.
|
||||||
|
|
||||||
#### info.notafter
|
#### `info.notafter`
|
||||||
|
|
||||||
Set the `info.notafter` option to `true` to add the `Not After` information from the `Validity` part.
|
Set the `info.notafter` option to `true` to add the `Not After` information from the `Validity` part.
|
||||||
The data are taken from the following certificate part:
|
The data are taken from the following certificate part:
|
||||||
|
@ -273,7 +313,7 @@ The escape `notafter` info part will be like:
|
||||||
NA=1607166616
|
NA=1607166616
|
||||||
```
|
```
|
||||||
|
|
||||||
#### info.notbefore
|
#### `info.notbefore`
|
||||||
|
|
||||||
Set the `info.notafter` option to `true` to add the `Not Before` information from the `Validity` part.
|
Set the `info.notafter` option to `true` to add the `Not Before` information from the `Validity` part.
|
||||||
|
|
||||||
|
@ -290,7 +330,7 @@ The escape `notafter` info part will be like:
|
||||||
NB=1544094616
|
NB=1544094616
|
||||||
```
|
```
|
||||||
|
|
||||||
#### info.sans
|
#### `info.sans`
|
||||||
|
|
||||||
Set the `info.sans` option to `true` to add the `Subject Alternative Name` information from the `Subject Alternative Name` part.
|
Set the `info.sans` option to `true` to add the `Subject Alternative Name` information from the `Subject Alternative Name` part.
|
||||||
The data are taken from the following certificate part:
|
The data are taken from the following certificate part:
|
||||||
|
@ -310,7 +350,7 @@ SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.
|
||||||
|
|
||||||
All the SANs data are separated by a `,`.
|
All the SANs data are separated by a `,`.
|
||||||
|
|
||||||
#### info.subject
|
#### `info.subject`
|
||||||
|
|
||||||
The `info.subject` select the specific client certificate subject details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
|
The `info.subject` select the specific client certificate subject details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
|
||||||
|
|
||||||
|
@ -320,7 +360,7 @@ The data are taken from the following certificate part :
|
||||||
Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.cheese.org, CN=*.cheese.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@cheese.org/emailAddress=cert@scheese.com
|
Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.cheese.org, CN=*.cheese.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@cheese.org/emailAddress=cert@scheese.com
|
||||||
```
|
```
|
||||||
|
|
||||||
##### info.subject.country
|
##### `info.subject.country`
|
||||||
|
|
||||||
Set the `info.subject.country` option to true to add the `country` information into the subject.
|
Set the `info.subject.country` option to true to add the `country` information into the subject.
|
||||||
The data are taken from the subject part with the `C` key.
|
The data are taken from the subject part with the `C` key.
|
||||||
|
@ -330,7 +370,7 @@ The escape country info in the subject part will be like :
|
||||||
C=FR,C=US
|
C=FR,C=US
|
||||||
```
|
```
|
||||||
|
|
||||||
##### info.subject.province
|
##### `info.subject.province`
|
||||||
|
|
||||||
Set the `info.subject.province` option to true to add the `province` information into the subject.
|
Set the `info.subject.province` option to true to add the `province` information into the subject.
|
||||||
|
|
||||||
|
@ -342,7 +382,7 @@ The escape province info in the subject part will be like :
|
||||||
ST=Cheese org state,ST=Cheese com state
|
ST=Cheese org state,ST=Cheese com state
|
||||||
```
|
```
|
||||||
|
|
||||||
##### info.subject.locality
|
##### `info.subject.locality`
|
||||||
|
|
||||||
Set the `info.subject.locality` option to true to add the `locality` information into the subject.
|
Set the `info.subject.locality` option to true to add the `locality` information into the subject.
|
||||||
|
|
||||||
|
@ -354,7 +394,7 @@ The escape locality info in the subject part will be like :
|
||||||
L=TOULOUSE,L=LYON
|
L=TOULOUSE,L=LYON
|
||||||
```
|
```
|
||||||
|
|
||||||
##### info.subject.organization
|
##### `info.subject.organization`
|
||||||
|
|
||||||
Set the `info.subject.organization` option to true to add the `organization` information into the subject.
|
Set the `info.subject.organization` option to true to add the `organization` information into the subject.
|
||||||
|
|
||||||
|
@ -366,31 +406,31 @@ The escape organization info in the subject part will be like :
|
||||||
O=Cheese,O=Cheese 2
|
O=Cheese,O=Cheese 2
|
||||||
```
|
```
|
||||||
|
|
||||||
##### info.subject.commonname
|
##### `info.subject.commonname`
|
||||||
|
|
||||||
Set the `info.subject.commonname` option to true to add the `commonname` information into the subject.
|
Set the `info.subject.commonname` option to true to add the `commonname` information into the subject.
|
||||||
|
|
||||||
The data are taken from the subject part with the `CN` key.
|
The data are taken from the subject part with the `CN` key.
|
||||||
|
|
||||||
The escape commonname info in the subject part will be like :
|
The escape common name info in the subject part will be like :
|
||||||
|
|
||||||
```text
|
```text
|
||||||
CN=*.cheese.com
|
CN=*.cheese.com
|
||||||
```
|
```
|
||||||
|
|
||||||
##### info.subject.serialnumber
|
##### `info.subject.serialnumber`
|
||||||
|
|
||||||
Set the `info.subject.serialnumber` option to true to add the `serialnumber` information into the subject.
|
Set the `info.subject.serialnumber` option to true to add the `serialnumber` information into the subject.
|
||||||
|
|
||||||
The data are taken from the subject part with the `SN` key.
|
The data are taken from the subject part with the `SN` key.
|
||||||
|
|
||||||
The escape serialnumber info in the subject part will be like :
|
The escape serial number info in the subject part will be like :
|
||||||
|
|
||||||
```text
|
```text
|
||||||
SN=1234567890
|
SN=1234567890
|
||||||
```
|
```
|
||||||
|
|
||||||
##### info.subject.domaincomponent
|
##### `info.subject.domaincomponent`
|
||||||
|
|
||||||
Set the `info.subject.domaincomponent` option to true to add the `domaincomponent` information into the subject.
|
Set the `info.subject.domaincomponent` option to true to add the `domaincomponent` information into the subject.
|
||||||
|
|
||||||
|
@ -402,7 +442,7 @@ The escape domaincomponent info in the subject part will be like :
|
||||||
DC=org,DC=cheese
|
DC=org,DC=cheese
|
||||||
```
|
```
|
||||||
|
|
||||||
#### info.issuer
|
#### `info.issuer`
|
||||||
|
|
||||||
The `info.issuer` select the specific client certificate issuer details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
|
The `info.issuer` select the specific client certificate issuer details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
|
||||||
|
|
||||||
|
@ -412,7 +452,7 @@ The data are taken from the following certificate part :
|
||||||
Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=Simple Signing CA, CN=Simple Signing CA 2, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Signing State, ST=Signing State 2/emailAddress=simple@signing.com/emailAddress=simple2@signing.com
|
Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=Simple Signing CA, CN=Simple Signing CA 2, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Signing State, ST=Signing State 2/emailAddress=simple@signing.com/emailAddress=simple2@signing.com
|
||||||
```
|
```
|
||||||
|
|
||||||
##### info.issuer.country
|
##### `info.issuer.country`
|
||||||
|
|
||||||
Set the `info.issuer.country` option to true to add the `country` information into the issuer.
|
Set the `info.issuer.country` option to true to add the `country` information into the issuer.
|
||||||
The data are taken from the issuer part with the `C` key.
|
The data are taken from the issuer part with the `C` key.
|
||||||
|
@ -422,7 +462,7 @@ The escape country info in the issuer part will be like :
|
||||||
C=FR,C=US
|
C=FR,C=US
|
||||||
```
|
```
|
||||||
|
|
||||||
##### info.issuer.province
|
##### `info.issuer.province`
|
||||||
|
|
||||||
Set the `info.issuer.province` option to true to add the `province` information into the issuer.
|
Set the `info.issuer.province` option to true to add the `province` information into the issuer.
|
||||||
|
|
||||||
|
@ -434,7 +474,7 @@ The escape province info in the issuer part will be like :
|
||||||
ST=Signing State,ST=Signing State 2
|
ST=Signing State,ST=Signing State 2
|
||||||
```
|
```
|
||||||
|
|
||||||
##### info.issuer.locality
|
##### `info.issuer.locality`
|
||||||
|
|
||||||
Set the `info.issuer.locality` option to true to add the `locality` information into the issuer.
|
Set the `info.issuer.locality` option to true to add the `locality` information into the issuer.
|
||||||
|
|
||||||
|
@ -446,7 +486,7 @@ The escape locality info in the issuer part will be like :
|
||||||
L=TOULOUSE,L=LYON
|
L=TOULOUSE,L=LYON
|
||||||
```
|
```
|
||||||
|
|
||||||
##### info.issuer.organization
|
##### `info.issuer.organization`
|
||||||
|
|
||||||
Set the `info.issuer.organization` option to true to add the `organization` information into the issuer.
|
Set the `info.issuer.organization` option to true to add the `organization` information into the issuer.
|
||||||
|
|
||||||
|
@ -458,37 +498,37 @@ The escape organization info in the issuer part will be like :
|
||||||
O=Cheese,O=Cheese 2
|
O=Cheese,O=Cheese 2
|
||||||
```
|
```
|
||||||
|
|
||||||
##### info.issuer.commonname
|
##### `info.issuer.commonname`
|
||||||
|
|
||||||
Set the `info.issuer.commonname` option to true to add the `commonname` information into the issuer.
|
Set the `info.issuer.commonname` option to true to add the `commonname` information into the issuer.
|
||||||
|
|
||||||
The data are taken from the issuer part with the `CN` key.
|
The data are taken from the issuer part with the `CN` key.
|
||||||
|
|
||||||
The escape commonname info in the issuer part will be like :
|
The escape common name info in the issuer part will be like :
|
||||||
|
|
||||||
```text
|
```text
|
||||||
CN=Simple Signing CA 2
|
CN=Simple Signing CA 2
|
||||||
```
|
```
|
||||||
|
|
||||||
##### info.issuer.serialnumber
|
##### `info.issuer.serialnumber`
|
||||||
|
|
||||||
Set the `info.issuer.serialnumber` option to true to add the `serialnumber` information into the issuer.
|
Set the `info.issuer.serialnumber` option to true to add the `serialnumber` information into the issuer.
|
||||||
|
|
||||||
The data are taken from the issuer part with the `SN` key.
|
The data are taken from the issuer part with the `SN` key.
|
||||||
|
|
||||||
The escape serialnumber info in the issuer part will be like :
|
The escape serial number info in the issuer part will be like :
|
||||||
|
|
||||||
```text
|
```text
|
||||||
SN=1234567890
|
SN=1234567890
|
||||||
```
|
```
|
||||||
|
|
||||||
##### info.issuer.domaincomponent
|
##### `info.issuer.domaincomponent`
|
||||||
|
|
||||||
Set the `info.issuer.domaincomponent` option to true to add the `domaincomponent` information into the issuer.
|
Set the `info.issuer.domaincomponent` option to true to add the `domaincomponent` information into the issuer.
|
||||||
|
|
||||||
The data are taken from the issuer part with the `DC` key.
|
The data are taken from the issuer part with the `DC` key.
|
||||||
|
|
||||||
The escape domaincomponent info in the issuer part will be like :
|
The escape domain component info in the issuer part will be like :
|
||||||
|
|
||||||
```text
|
```text
|
||||||
DC=org,DC=cheese
|
DC=org,DC=cheese
|
||||||
|
|
|
@ -44,7 +44,7 @@ The RateLimit middleware ensures that services will receive a _fair_ number of r
|
||||||
|
|
||||||
## Configuration Options
|
## Configuration Options
|
||||||
|
|
||||||
### extractorfunc
|
### `extractorfunc`
|
||||||
|
|
||||||
The `extractorfunc` option defines the strategy used to categorize requests.
|
The `extractorfunc` option defines the strategy used to categorize requests.
|
||||||
|
|
||||||
|
@ -54,12 +54,12 @@ The possible values are:
|
||||||
- `client.ip` categorizes requests based on the client ip.
|
- `client.ip` categorizes requests based on the client ip.
|
||||||
- `request.header.ANY_HEADER` categorizes requests based on the provided `ANY_HEADER` value.
|
- `request.header.ANY_HEADER` categorizes requests based on the provided `ANY_HEADER` value.
|
||||||
|
|
||||||
### ratelimit (multiple values)
|
### `ratelimit` (multiple values)
|
||||||
|
|
||||||
You can combine multiple ratelimit.
|
You can combine multiple rate limits.
|
||||||
The ratelimit will trigger with the first reached limit.
|
The rate limit will trigger with the first reached limit.
|
||||||
|
|
||||||
Each ratelimit has 3 options, `period`, `average`, and `burst`.
|
Each rate limit has 3 options, `period`, `average`, and `burst`.
|
||||||
|
|
||||||
The rate limit will allow an average of `average` requests every `period`, with a maximum of `burst` request on that period.
|
The rate limit will allow an average of `average` requests every `period`, with a maximum of `burst` request on that period.
|
||||||
|
|
||||||
|
|
|
@ -9,32 +9,40 @@ RegexRedirect redirect a request from an url to another with regex matching and
|
||||||
|
|
||||||
## Configuration Examples
|
## Configuration Examples
|
||||||
|
|
||||||
??? example "File -- Redirect with domain replacement"
|
```yaml tab="Docker"
|
||||||
|
# Redirect with domain replacement
|
||||||
|
labels:
|
||||||
|
- "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
|
||||||
|
- "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$1"
|
||||||
|
```
|
||||||
|
|
||||||
```toml
|
```yaml tab="Kubernetes"
|
||||||
[http.middlewares]
|
# Redirect with domain replacement
|
||||||
[http.middlewares.test-redirectregex.redirectregex]
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
regex = "^http://localhost/(.*)"
|
kind: Middleware
|
||||||
replacement = "http://mydomain/$1"
|
metadata:
|
||||||
```
|
name: test-redirectregex
|
||||||
|
spec:
|
||||||
|
redirectRegex:
|
||||||
|
regex: ^http://localhost/(.*)
|
||||||
|
replacement: http://mydomain/$1
|
||||||
|
```
|
||||||
|
|
||||||
??? example "Docker -- Redirect with domain replacement"
|
```toml tab="File"
|
||||||
|
# Redirect with domain replacement
|
||||||
```yml
|
[http.middlewares]
|
||||||
a-container:
|
[http.middlewares.test-redirectregex.redirectregex]
|
||||||
image: a-container-image
|
regex = "^http://localhost/(.*)"
|
||||||
labels:
|
replacement = "http://mydomain/$1"
|
||||||
- "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
|
```
|
||||||
- "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$1"
|
|
||||||
```
|
|
||||||
|
|
||||||
## Configuration Options
|
## Configuration Options
|
||||||
|
|
||||||
### permanent
|
### `permanent`
|
||||||
|
|
||||||
Set the `permanent` option to `true` to apply a permanent redirection.
|
Set the `permanent` option to `true` to apply a permanent redirection.
|
||||||
|
|
||||||
### regex
|
### `regex`
|
||||||
|
|
||||||
The `Regex` option is the regular expression to match and capture elements form the request URL.
|
The `Regex` option is the regular expression to match and capture elements form the request URL.
|
||||||
|
|
||||||
|
@ -46,7 +54,7 @@ The `Regex` option is the regular expression to match and capture elements form
|
||||||
|
|
||||||
Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
|
Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
|
||||||
|
|
||||||
### replacement
|
### `replacement`
|
||||||
|
|
||||||
The `replacement` option defines how to modify the URl to have the new target URL.
|
The `replacement` option defines how to modify the URl to have the new target URL.
|
||||||
|
|
|
@ -9,33 +9,40 @@ RegexRedirect redirect request from a scheme to another.
|
||||||
|
|
||||||
## Configuration Examples
|
## Configuration Examples
|
||||||
|
|
||||||
??? example "File -- Redirect to https"
|
```yaml tab="Docker"
|
||||||
|
# Redirect to https
|
||||||
|
labels:
|
||||||
|
- "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
|
||||||
|
```
|
||||||
|
|
||||||
```toml
|
```yaml tab="Kubernetes"
|
||||||
[http.middlewares]
|
# Redirect to https
|
||||||
[http.middlewares.test-redirectscheme.redirectscheme]
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
scheme = "https"
|
kind: Middleware
|
||||||
```
|
metadata:
|
||||||
|
name: test-redirectscheme
|
||||||
|
spec:
|
||||||
|
redirectScheme:
|
||||||
|
scheme: https
|
||||||
|
```
|
||||||
|
|
||||||
??? example "Docker -- Redirect to https"
|
```toml tab="File"
|
||||||
|
# Redirect to https
|
||||||
```yml
|
[http.middlewares]
|
||||||
a-container:
|
[http.middlewares.test-redirectscheme.redirectscheme]
|
||||||
image: a-container-image
|
scheme = "https"
|
||||||
labels:
|
```
|
||||||
- "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
|
|
||||||
```
|
|
||||||
|
|
||||||
## Configuration Options
|
## Configuration Options
|
||||||
|
|
||||||
### permanent
|
### `permanent`
|
||||||
|
|
||||||
Set the `permanent` option to `true` to apply a permanent redirection.
|
Set the `permanent` option to `true` to apply a permanent redirection.
|
||||||
|
|
||||||
### scheme
|
### `scheme`
|
||||||
|
|
||||||
The `scheme` option defines the scheme of the new url.
|
The `scheme` option defines the scheme of the new url.
|
||||||
|
|
||||||
### port
|
### `port`
|
||||||
|
|
||||||
The `port` option defines the port of the new url.
|
The `port` option defines the port of the new url.
|
||||||
|
|
|
@ -9,22 +9,29 @@ Replace the path of the request url.
|
||||||
|
|
||||||
## Configuration Examples
|
## Configuration Examples
|
||||||
|
|
||||||
??? example "File -- Replace the path by /foo"
|
```yaml tab="Docker"
|
||||||
|
# Replace the path by /foo
|
||||||
|
labels:
|
||||||
|
- "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
|
||||||
|
```
|
||||||
|
|
||||||
```toml
|
```yaml tab="Kubernetes"
|
||||||
[http.middlewares]
|
# Replace the path by /foo
|
||||||
[http.middlewares.test-replacepath.ReplacePath]
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
path = "/foo"
|
kind: Middleware
|
||||||
```
|
metadata:
|
||||||
|
name: test-replacepath
|
||||||
|
spec:
|
||||||
|
replacePath:
|
||||||
|
path: /foo
|
||||||
|
```
|
||||||
|
|
||||||
??? example "Docker --Replace the path by /foo"
|
```toml tab="File"
|
||||||
|
# Replace the path by /foo
|
||||||
```yaml
|
[http.middlewares]
|
||||||
a-container:
|
[http.middlewares.test-replacepath.ReplacePath]
|
||||||
image: a-container-image
|
path = "/foo"
|
||||||
labels:
|
```
|
||||||
- "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
|
|
||||||
```
|
|
||||||
|
|
||||||
## Configuration Options
|
## Configuration Options
|
||||||
|
|
||||||
|
@ -35,6 +42,6 @@ The ReplacePath middleware will:
|
||||||
* replace the actual path by the specified one.
|
* replace the actual path by the specified one.
|
||||||
* store the original path in a `X-Replaced-Path` header.
|
* store the original path in a `X-Replaced-Path` header.
|
||||||
|
|
||||||
### path
|
### `path`
|
||||||
|
|
||||||
The `path` option defines the path to use as replacement in the request url.
|
The `path` option defines the path to use as replacement in the request url.
|
||||||
|
|
Loading…
Add table
Reference in a new issue