From c315b4e06495b685a4e1abe82eb67ec283acba40 Mon Sep 17 00:00:00 2001 From: Jean-Baptiste Doumenjou Date: Fri, 10 Jul 2020 18:48:03 +0200 Subject: [PATCH] Change the default value of insecureSNI * fix: allow domain fronting by default * review: typo. * review: doc. Co-authored-by: Fernandez Ludovic --- docs/content/https/tls.md | 2 +- docs/content/migration/v2.md | 103 ++---------------- .../reference/static-configuration/cli-ref.md | 2 +- .../reference/static-configuration/env-ref.md | 2 +- pkg/config/static/static_config.go | 7 +- 5 files changed, 21 insertions(+), 95 deletions(-) diff --git a/docs/content/https/tls.md b/docs/content/https/tls.md index 1ba56c62b..60ed8e4be 100644 --- a/docs/content/https/tls.md +++ b/docs/content/https/tls.md @@ -137,7 +137,7 @@ connection with a specific domain name, thanks to the [Server Name Indication](https://en.wikipedia.org/wiki/Server_Name_Indication), then access a service with another domain set in the HTTP `Host` header. -Since the `v2.2.2`, Traefik avoids (by default) using domain fronting. +Since the `v2.2.4`, Traefik has the option to avoid domain fronting thanks to the `insecureSNI` global flag. As it is valid for advanced use cases, the `HostHeader` and `HostSNI` [rules](../routing/routers/index.md#rule) allow to fine tune the routing with the `Server Name Indication` and `Host header` value. diff --git a/docs/content/migration/v2.md b/docs/content/migration/v2.md index 678d3d2cf..9fdd2e971 100644 --- a/docs/content/migration/v2.md +++ b/docs/content/migration/v2.md @@ -4,114 +4,35 @@ ### Domain fronting -In `v2.2.2` we introduced the ability to avoid [Domain fronting](https://en.wikipedia.org/wiki/Domain_fronting), -and enabled it by default for [https routers](../routing/routers/index.md#rule) configured with ```Host(`something`)```. +In `v2.2.2` we introduced the ability to avoid [Domain fronting](https://en.wikipedia.org/wiki/Domain_fronting) for [https routers](../routing/routers/index.md#rule) configured with ```Host(`something`)``` but we disabled it for compatibility reasons by default. -!!! example "Allow Domain Fronting on a Specific Router" - - !!! info "Before v2.2.2" - - ```yaml tab="Docker" - labels: - - "traefik.http.routers.router0.rule=Host(`test.localhost`)" - ``` - - ```yaml tab="K8s Ingress" - apiVersion: traefik.containo.us/v1alpha1 - kind: IngressRoute - metadata: - name: ingressroutebar - - spec: - entryPoints: - - http - routes: - - match: Host(`test.localhost`) - kind: Rule - services: - - name: server0 - port: 80 - - name: server1 - port: 80 - ``` - - ```toml tab="File (TOML)" - [http.routers.router0] - rule = "Host(`test.localhost`)" - service = "my-service" - ``` - - ```toml tab="File (YAML)" - http: - routers: - router0: - rule: "Host(`test.localhost`)" - service: my-service - ``` +Nothing special is required to keep the previous behavior. - !!! info "v2.2.2" - - ```yaml tab="Docker" - labels: - - "traefik.http.routers.router0.rule=HostHeader(`test.localhost`)" - ``` - - ```yaml tab="K8s Ingress" - apiVersion: traefik.containo.us/v1alpha1 - kind: IngressRoute - metadata: - name: ingressroutebar - - spec: - entryPoints: - - http - routes: - - match: HostHeader(`test.localhost`) - kind: Rule - services: - - name: server0 - port: 80 - - name: server1 - port: 80 - ``` - - ```toml tab="File (TOML)" - [http.routers.router0] - rule = "HostHeader(`test.localhost`)" - service = "my-service" - ``` - - ```toml tab="File (YAML)" - http: - routers: - router0: - rule: "HostHeader(`test.localhost`)" - service: my-service - ``` +However, a new flag is available as a global option to disable domain fronting. -As a fallback, a new flag is available as a global option: - -!!! example "Enabling Domain Fronting for All Routers" +!!! example "Disabling Domain Fronting for All Routers" ```toml tab="File (TOML)" # Static configuration [global] - # Enabling domain fronting - insecureSNI = true + # Disabling domain fronting + insecureSNI = false ``` ```yaml tab="File (YAML)" # Static configuration global: - # Enabling domain fronting - insecureSNI: true + # Disabling domain fronting + insecureSNI: false ``` ```bash tab="CLI" - # Enabling domain fronting - --global.insecureSNI + # Disabling domain fronting + --global.insecureSNI=false ``` +To fine tune the HTTPS routing with Domain Fronting disabled, two new HTTP rules `HostSNI` and `HostHeader` are available. + ## v2.0 to v2.1 ### Kubernetes CRD diff --git a/docs/content/reference/static-configuration/cli-ref.md b/docs/content/reference/static-configuration/cli-ref.md index 83b266711..d5d04ade3 100644 --- a/docs/content/reference/static-configuration/cli-ref.md +++ b/docs/content/reference/static-configuration/cli-ref.md @@ -163,7 +163,7 @@ WriteTimeout is the maximum duration before timing out writes of the response. I Periodically check if a new version has been released. (Default: ```false```) `--global.insecuresni`: -Allow domain fronting. If the option is not specified, it will be disabled by default. (Default: ```false```) +Allow domain fronting. If the option is not specified, it will be enabled by default. (Default: ```true```) `--global.sendanonymoususage`: Periodically send anonymous usage statistics. If the option is not specified, it will be enabled by default. (Default: ```false```) diff --git a/docs/content/reference/static-configuration/env-ref.md b/docs/content/reference/static-configuration/env-ref.md index f4fb6a80a..4a522d5a4 100644 --- a/docs/content/reference/static-configuration/env-ref.md +++ b/docs/content/reference/static-configuration/env-ref.md @@ -163,7 +163,7 @@ WriteTimeout is the maximum duration before timing out writes of the response. I Periodically check if a new version has been released. (Default: ```false```) `TRAEFIK_GLOBAL_INSECURESNI`: -Allow domain fronting. If the option is not specified, it will be disabled by default. (Default: ```false```) +Allow domain fronting. If the option is not specified, it will be enabled by default. (Default: ```true```) `TRAEFIK_GLOBAL_SENDANONYMOUSUSAGE`: Periodically send anonymous usage statistics. If the option is not specified, it will be enabled by default. (Default: ```false```) diff --git a/pkg/config/static/static_config.go b/pkg/config/static/static_config.go index b35ddce03..55ce063cd 100644 --- a/pkg/config/static/static_config.go +++ b/pkg/config/static/static_config.go @@ -79,7 +79,12 @@ type CertificateResolver struct { type Global struct { CheckNewVersion bool `description:"Periodically check if a new version has been released." json:"checkNewVersion,omitempty" toml:"checkNewVersion,omitempty" yaml:"checkNewVersion,omitempty" label:"allowEmpty" export:"true"` SendAnonymousUsage bool `description:"Periodically send anonymous usage statistics. If the option is not specified, it will be enabled by default." json:"sendAnonymousUsage,omitempty" toml:"sendAnonymousUsage,omitempty" yaml:"sendAnonymousUsage,omitempty" label:"allowEmpty" export:"true"` - InsecureSNI bool `description:"Allow domain fronting. If the option is not specified, it will be disabled by default." json:"insecureSNI,omitempty" toml:"insecureSNI,omitempty" yaml:"insecureSNI,omitempty" label:"allowEmpty" export:"true"` + InsecureSNI bool `description:"Allow domain fronting. If the option is not specified, it will be enabled by default." json:"insecureSNI,omitempty" toml:"insecureSNI,omitempty" yaml:"insecureSNI,omitempty" label:"allowEmpty" export:"true"` +} + +// SetDefaults sets the default values. +func (a *Global) SetDefaults() { + a.InsecureSNI = true } // ServersTransport options to configure communication between Traefik and the servers.