Add HTTP3Config

This commit is contained in:
valerauko 2021-09-10 21:58:13 +09:00 committed by GitHub
parent ba3967aa16
commit 60ff50a675
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 207 additions and 23 deletions

View file

@ -415,3 +415,12 @@ For more advanced use cases, you can use either the [RedirectScheme middleware](
Following up on the deprecation started [previously](#x509-commonname-deprecation), Following up on the deprecation started [previously](#x509-commonname-deprecation),
as the `x509ignoreCN=0` value for the `GODEBUG` is [deprecated in Go 1.17](https://tip.golang.org/doc/go1.17#crypto/x509), as the `x509ignoreCN=0` value for the `GODEBUG` is [deprecated in Go 1.17](https://tip.golang.org/doc/go1.17#crypto/x509),
the legacy behavior related to the CommonName field can not be enabled at all anymore. the legacy behavior related to the CommonName field can not be enabled at all anymore.
## v2.5 to v2.6
### HTTP3
Traefik v2.6 introduces the `AdvertisedPort` option,
which allows advertising, in the `Alt-Svc` header, a UDP port different from the one on which Traefik is actually listening (the EntryPoint's port).
By doing so, it introduces a new configuration structure `http3`, which replaces the `enableHTTP3` option (which therefore doesn't exist anymore).
To enable HTTP3 on an EntryPoint, please check out the [HTTP3 configuration](../routing/entrypoints.md#http3) documentation.

View file

@ -102,9 +102,6 @@ Entry points definition. (Default: ```false```)
`--entrypoints.<name>.address`: `--entrypoints.<name>.address`:
Entry point address. Entry point address.
`--entrypoints.<name>.enablehttp3`:
Enable HTTP3. (Default: ```false```)
`--entrypoints.<name>.forwardedheaders.insecure`: `--entrypoints.<name>.forwardedheaders.insecure`:
Trust all forwarded headers. (Default: ```false```) Trust all forwarded headers. (Default: ```false```)
@ -147,6 +144,12 @@ Subject alternative names.
`--entrypoints.<name>.http.tls.options`: `--entrypoints.<name>.http.tls.options`:
Default TLS options for the routers linked to the entry point. Default TLS options for the routers linked to the entry point.
`--entrypoints.<name>.http3`:
HTTP3 configuration. (Default: ```false```)
`--entrypoints.<name>.http3.advertisedport`:
UDP port to advertise, on which HTTP/3 is available. (Default: ```0```)
`--entrypoints.<name>.proxyprotocol`: `--entrypoints.<name>.proxyprotocol`:
Proxy-Protocol configuration. (Default: ```false```) Proxy-Protocol configuration. (Default: ```false```)

View file

@ -102,9 +102,6 @@ Entry points definition. (Default: ```false```)
`TRAEFIK_ENTRYPOINTS_<NAME>_ADDRESS`: `TRAEFIK_ENTRYPOINTS_<NAME>_ADDRESS`:
Entry point address. Entry point address.
`TRAEFIK_ENTRYPOINTS_<NAME>_ENABLEHTTP3`:
Enable HTTP3. (Default: ```false```)
`TRAEFIK_ENTRYPOINTS_<NAME>_FORWARDEDHEADERS_INSECURE`: `TRAEFIK_ENTRYPOINTS_<NAME>_FORWARDEDHEADERS_INSECURE`:
Trust all forwarded headers. (Default: ```false```) Trust all forwarded headers. (Default: ```false```)
@ -114,6 +111,12 @@ Trust only forwarded headers from selected IPs.
`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP`: `TRAEFIK_ENTRYPOINTS_<NAME>_HTTP`:
HTTP configuration. HTTP configuration.
`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP3`:
HTTP3 configuration. (Default: ```false```)
`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP3_ADVERTISEDPORT`:
UDP port to advertise, on which HTTP/3 is available. (Default: ```0```)
`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_MIDDLEWARES`: `TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_MIDDLEWARES`:
Default middlewares for the routers linked to the entry point. Default middlewares for the routers linked to the entry point.

View file

@ -14,7 +14,6 @@
[entryPoints] [entryPoints]
[entryPoints.EntryPoint0] [entryPoints.EntryPoint0]
address = "foobar" address = "foobar"
enableHTTP3 = true
[entryPoints.EntryPoint0.transport] [entryPoints.EntryPoint0.transport]
[entryPoints.EntryPoint0.transport.lifeCycle] [entryPoints.EntryPoint0.transport.lifeCycle]
requestAcceptGraceTimeout = 42 requestAcceptGraceTimeout = 42
@ -31,6 +30,8 @@
trustedIPs = ["foobar", "foobar"] trustedIPs = ["foobar", "foobar"]
[entryPoints.EntryPoint0.udp] [entryPoints.EntryPoint0.udp]
timeout = 42 timeout = 42
[entryPoints.EntryPoint0.http3]
advertisedPort = 42
[entryPoints.EntryPoint0.http] [entryPoints.EntryPoint0.http]
middlewares = ["foobar", "foobar"] middlewares = ["foobar", "foobar"]
[entryPoints.EntryPoint0.http.redirections] [entryPoints.EntryPoint0.http.redirections]

View file

@ -32,7 +32,8 @@ entryPoints:
trustedIPs: trustedIPs:
- foobar - foobar
- foobar - foobar
enableHTTP3: true http3:
advertisedPort: 42
udp: udp:
timeout: 42 timeout: 42
http: http:

View file

@ -100,7 +100,8 @@ They can be defined by using a file (YAML or TOML) or CLI arguments.
entryPoints: entryPoints:
name: name:
address: ":8888" # same as ":8888/tcp" address: ":8888" # same as ":8888/tcp"
enableHTTP3: true http3:
advertisedPort: 8888
transport: transport:
lifeCycle: lifeCycle:
requestAcceptGraceTimeout: 42 requestAcceptGraceTimeout: 42
@ -126,7 +127,8 @@ They can be defined by using a file (YAML or TOML) or CLI arguments.
[entryPoints] [entryPoints]
[entryPoints.name] [entryPoints.name]
address = ":8888" # same as ":8888/tcp" address = ":8888" # same as ":8888/tcp"
enableHTTP3 = true [entryPoints.name.http3]
advertisedPort = 8888
[entryPoints.name.transport] [entryPoints.name.transport]
[entryPoints.name.transport.lifeCycle] [entryPoints.name.transport.lifeCycle]
requestAcceptGraceTimeout = 42 requestAcceptGraceTimeout = 42
@ -146,7 +148,7 @@ They can be defined by using a file (YAML or TOML) or CLI arguments.
```bash tab="CLI" ```bash tab="CLI"
## Static configuration ## Static configuration
--entryPoints.name.address=:8888 # same as :8888/tcp --entryPoints.name.address=:8888 # same as :8888/tcp
--entryPoints.name.http3=true --entryPoints.name.http3.advertisedport=8888
--entryPoints.name.transport.lifeCycle.requestAcceptGraceTimeout=42 --entryPoints.name.transport.lifeCycle.requestAcceptGraceTimeout=42
--entryPoints.name.transport.lifeCycle.graceTimeOut=42 --entryPoints.name.transport.lifeCycle.graceTimeOut=42
--entryPoints.name.transport.respondingTimeouts.readTimeout=42 --entryPoints.name.transport.respondingTimeouts.readTimeout=42
@ -221,9 +223,11 @@ If both TCP and UDP are wanted for the same port, two entryPoints definitions ar
Full details for how to specify `address` can be found in [net.Listen](https://golang.org/pkg/net/#Listen) (and [net.Dial](https://golang.org/pkg/net/#Dial)) of the doc for go. Full details for how to specify `address` can be found in [net.Listen](https://golang.org/pkg/net/#Listen) (and [net.Dial](https://golang.org/pkg/net/#Dial)) of the doc for go.
### EnableHTTP3 ### HTTP3
`enableHTTP3` defines that you want to enable HTTP3 on this `address`. #### `http3`
`http3` enables HTTP3 protocol on the entryPoint.
You can only enable HTTP3 on a TCP entrypoint. You can only enable HTTP3 on a TCP entrypoint.
Enabling HTTP3 will automatically add the correct headers for the connection upgrade to HTTP3. Enabling HTTP3 will automatically add the correct headers for the connection upgrade to HTTP3.
@ -240,22 +244,51 @@ Enabling HTTP3 will automatically add the correct headers for the connection upg
```yaml tab="File (YAML)" ```yaml tab="File (YAML)"
experimental: experimental:
http3: true http3: true
entryPoints: entryPoints:
name: name:
enableHTTP3: true http3: {}
``` ```
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[experimental] [experimental]
http3 = true http3 = true
[entryPoints.name] [entryPoints.name.http3]
enableHTTP3 = true
``` ```
```bash tab="CLI" ```bash tab="CLI"
--experimental.http3=true --entrypoints.name.enablehttp3=true --experimental.http3=true --entrypoints.name.http3
```
#### `advertisedPort`
`http3.advertisedPort` defines which UDP port to advertise as the HTTP3 authority.
It defaults to the entrypoint's address port.
It can be used to override the authority in the `alt-svc` header, for example if the public facing port is different from where Traefik is listening.
!!! info "http3.advertisedPort"
```yaml tab="File (YAML)"
experimental:
http3: true
entryPoints:
name:
http3:
advertisedPort: 443
```
```toml tab="File (TOML)"
[experimental]
http3 = true
[entryPoints.name.http3]
advertisedPort = 443
```
```bash tab="CLI"
--experimental.http3=true --entrypoints.name.http3.advertisedport=443
``` ```
### Forwarded Headers ### Forwarded Headers

View file

@ -16,7 +16,7 @@ type EntryPoint struct {
ProxyProtocol *ProxyProtocol `description:"Proxy-Protocol configuration." json:"proxyProtocol,omitempty" toml:"proxyProtocol,omitempty" yaml:"proxyProtocol,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"` ProxyProtocol *ProxyProtocol `description:"Proxy-Protocol configuration." json:"proxyProtocol,omitempty" toml:"proxyProtocol,omitempty" yaml:"proxyProtocol,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
ForwardedHeaders *ForwardedHeaders `description:"Trust client forwarding headers." json:"forwardedHeaders,omitempty" toml:"forwardedHeaders,omitempty" yaml:"forwardedHeaders,omitempty" export:"true"` ForwardedHeaders *ForwardedHeaders `description:"Trust client forwarding headers." json:"forwardedHeaders,omitempty" toml:"forwardedHeaders,omitempty" yaml:"forwardedHeaders,omitempty" export:"true"`
HTTP HTTPConfig `description:"HTTP configuration." json:"http,omitempty" toml:"http,omitempty" yaml:"http,omitempty" export:"true"` HTTP HTTPConfig `description:"HTTP configuration." json:"http,omitempty" toml:"http,omitempty" yaml:"http,omitempty" export:"true"`
EnableHTTP3 bool `description:"Enable HTTP3." json:"enableHTTP3,omitempty" toml:"enableHTTP3,omitempty" yaml:"enableHTTP3,omitempty" export:"true"` HTTP3 *HTTP3Config `description:"HTTP3 configuration." json:"http3,omitempty" toml:"http3,omitempty" yaml:"http3,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
UDP *UDPConfig `description:"UDP configuration." json:"udp,omitempty" toml:"udp,omitempty" yaml:"udp,omitempty"` UDP *UDPConfig `description:"UDP configuration." json:"udp,omitempty" toml:"udp,omitempty" yaml:"udp,omitempty"`
} }
@ -72,6 +72,11 @@ type RedirectEntryPoint struct {
Priority int `description:"Priority of the generated router." json:"priority,omitempty" toml:"priority,omitempty" yaml:"priority,omitempty" export:"true"` Priority int `description:"Priority of the generated router." json:"priority,omitempty" toml:"priority,omitempty" yaml:"priority,omitempty" export:"true"`
} }
// HTTP3Config is the HTTP3 configuration of an entry point.
type HTTP3Config struct {
AdvertisedPort int32 `description:"UDP port to advertise, on which HTTP/3 is available." json:"advertisedPort,omitempty" toml:"advertisedPort,omitempty" yaml:"advertisedPort,omitempty" export:"true"`
}
// SetDefaults sets the default values. // SetDefaults sets the default values.
func (r *RedirectEntryPoint) SetDefaults() { func (r *RedirectEntryPoint) SetDefaults() {
r.Scheme = "https" r.Scheme = "https"

View file

@ -249,8 +249,11 @@ func (c *Configuration) SetEffectiveConfiguration() {
} }
if c.Experimental == nil || !c.Experimental.HTTP3 { if c.Experimental == nil || !c.Experimental.HTTP3 {
for _, ep := range c.EntryPoints { for epName, ep := range c.EntryPoints {
ep.EnableHTTP3 = false if ep.HTTP3 != nil {
ep.HTTP3 = nil
log.WithoutContext().Debugf("Disabling HTTP3 configuration for entryPoint %q: HTTP3 is disabled in the experimental configuration section", epName)
}
} }
} }

View file

@ -26,7 +26,7 @@ type http3server struct {
} }
func newHTTP3Server(ctx context.Context, configuration *static.EntryPoint, httpsServer *httpServer) (*http3server, error) { func newHTTP3Server(ctx context.Context, configuration *static.EntryPoint, httpsServer *httpServer) (*http3server, error) {
if !configuration.EnableHTTP3 { if configuration.HTTP3 == nil {
return nil, nil return nil, nil
} }
@ -56,8 +56,10 @@ func newHTTP3Server(ctx context.Context, configuration *static.EntryPoint, https
previousHandler := httpsServer.Server.(*http.Server).Handler previousHandler := httpsServer.Server.(*http.Server).Handler
setQuicHeaders := getQuicHeadersSetter(configuration)
httpsServer.Server.(*http.Server).Handler = http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) { httpsServer.Server.(*http.Server).Handler = http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
err := h3.Server.SetQuicHeaders(rw.Header()) err := setQuicHeaders(rw.Header())
if err != nil { if err != nil {
log.FromContext(ctx).Errorf("failed to set HTTP3 headers: %v", err) log.FromContext(ctx).Errorf("failed to set HTTP3 headers: %v", err)
} }
@ -68,6 +70,25 @@ func newHTTP3Server(ctx context.Context, configuration *static.EntryPoint, https
return h3, nil return h3, nil
} }
// TODO: rewrite if at some point `port` become an exported field of http3.Server.
func getQuicHeadersSetter(configuration *static.EntryPoint) func(header http.Header) error {
advertisedAddress := configuration.GetAddress()
if configuration.HTTP3.AdvertisedPort != 0 {
advertisedAddress = fmt.Sprintf(`:%d`, configuration.HTTP3.AdvertisedPort)
}
// if `QuickConfig` of h3.server happens to be configured,
// it should also be configured identically in the headerServer
headerServer := &http3.Server{
Server: &http.Server{
Addr: advertisedAddress,
},
}
// set quic headers with the "header" http3 server instance
return headerServer.SetQuicHeaders
}
func (e *http3server) Start() error { func (e *http3server) Start() error {
return e.Serve(e.http3conn) return e.Serve(e.http3conn)
} }

View file

@ -0,0 +1,105 @@
package server
import (
"bufio"
"context"
"crypto/tls"
"net/http"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/traefik/traefik/v2/pkg/config/static"
"github.com/traefik/traefik/v2/pkg/tcp"
traefiktls "github.com/traefik/traefik/v2/pkg/tls"
)
// LocalhostCert is a PEM-encoded TLS cert with SAN IPs
// "127.0.0.1" and "[::1]", expiring at Jan 29 16:00:00 2084 GMT.
// generated from src/crypto/tls:
// go run generate_cert.go --rsa-bits 1024 --host 127.0.0.1,::1,example.com --ca --start-date "Jan 1 00:00:00 1970" --duration=1000000h
var (
localhostCert = traefiktls.FileOrContent(`-----BEGIN CERTIFICATE-----
MIICEzCCAXygAwIBAgIQMIMChMLGrR+QvmQvpwAU6zANBgkqhkiG9w0BAQsFADAS
MRAwDgYDVQQKEwdBY21lIENvMCAXDTcwMDEwMTAwMDAwMFoYDzIwODQwMTI5MTYw
MDAwWjASMRAwDgYDVQQKEwdBY21lIENvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQDuLnQAI3mDgey3VBzWnB2L39JUU4txjeVE6myuDqkM/uGlfjb9SjY1bIw4
iA5sBBZzHi3z0h1YV8QPuxEbi4nW91IJm2gsvvZhIrCHS3l6afab4pZBl2+XsDul
rKBxKKtD1rGxlG4LjncdabFn9gvLZad2bSysqz/qTAUStTvqJQIDAQABo2gwZjAO
BgNVHQ8BAf8EBAMCAqQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUw
AwEB/zAuBgNVHREEJzAlggtleGFtcGxlLmNvbYcEfwAAAYcQAAAAAAAAAAAAAAAA
AAAAATANBgkqhkiG9w0BAQsFAAOBgQCEcetwO59EWk7WiJsG4x8SY+UIAA+flUI9
tyC4lNhbcF2Idq9greZwbYCqTTTr2XiRNSMLCOjKyI7ukPoPjo16ocHj+P3vZGfs
h1fIw3cSS2OolhloGw/XM6RWPWtPAlGykKLciQrBru5NAPvCMsb/I1DAceTiotQM
fblo6RBxUQ==
-----END CERTIFICATE-----`)
// LocalhostKey is the private key for localhostCert.
localhostKey = traefiktls.FileOrContent(`-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDuLnQAI3mDgey3VBzWnB2L39JUU4txjeVE6myuDqkM/uGlfjb9
SjY1bIw4iA5sBBZzHi3z0h1YV8QPuxEbi4nW91IJm2gsvvZhIrCHS3l6afab4pZB
l2+XsDulrKBxKKtD1rGxlG4LjncdabFn9gvLZad2bSysqz/qTAUStTvqJQIDAQAB
AoGAGRzwwir7XvBOAy5tM/uV6e+Zf6anZzus1s1Y1ClbjbE6HXbnWWF/wbZGOpet
3Zm4vD6MXc7jpTLryzTQIvVdfQbRc6+MUVeLKwZatTXtdZrhu+Jk7hx0nTPy8Jcb
uJqFk541aEw+mMogY/xEcfbWd6IOkp+4xqjlFLBEDytgbIECQQDvH/E6nk+hgN4H
qzzVtxxr397vWrjrIgPbJpQvBsafG7b0dA4AFjwVbFLmQcj2PprIMmPcQrooz8vp
jy4SHEg1AkEA/v13/5M47K9vCxmb8QeD/asydfsgS5TeuNi8DoUBEmiSJwma7FXY
fFUtxuvL7XvjwjN5B30pNEbc6Iuyt7y4MQJBAIt21su4b3sjXNueLKH85Q+phy2U
fQtuUE9txblTu14q3N7gHRZB4ZMhFYyDy8CKrN2cPg/Fvyt0Xlp/DoCzjA0CQQDU
y2ptGsuSmgUtWj3NM9xuwYPm+Z/F84K6+ARYiZ6PYj013sovGKUFfYAqVXVlxtIX
qyUBnu3X9ps8ZfjLZO7BAkEAlT4R5Yl6cGhaJQYZHOde3JEMhNRcVFMO8dJDaFeo
f9Oeos0UUothgiDktdQHxdNEwLjQf7lJJBzV+5OtwswCWA==
-----END RSA PRIVATE KEY-----`)
)
func TestHTTP3AdvertisedPort(t *testing.T) {
certContent, err := localhostCert.Read()
require.NoError(t, err)
keyContent, err := localhostKey.Read()
require.NoError(t, err)
tlsCert, err := tls.X509KeyPair(certContent, keyContent)
require.NoError(t, err)
epConfig := &static.EntryPointsTransport{}
epConfig.SetDefaults()
entryPoint, err := NewTCPEntryPoint(context.Background(), &static.EntryPoint{
Address: "127.0.0.1:8090",
Transport: epConfig,
ForwardedHeaders: &static.ForwardedHeaders{},
HTTP3: &static.HTTP3Config{
AdvertisedPort: 8080,
},
})
require.NoError(t, err)
router := &tcp.Router{}
router.AddRouteHTTPTLS("*", &tls.Config{
Certificates: []tls.Certificate{tlsCert},
})
router.HTTPSHandler(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
rw.WriteHeader(http.StatusOK)
}), nil)
go entryPoint.Start(context.Background())
entryPoint.SwitchRouter(router)
conn, err := tls.Dial("tcp", "127.0.0.1:8090", &tls.Config{
InsecureSkipVerify: true,
})
require.NoError(t, err)
request, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:8090", nil)
require.NoError(t, err)
err = request.Write(conn)
require.NoError(t, err)
r, err := http.ReadResponse(bufio.NewReader(conn), nil)
require.NoError(t, err)
assert.NotContains(t, r.Header.Get("Alt-Svc"), ":8090")
assert.Contains(t, r.Header.Get("Alt-Svc"), ":8080")
}