baalajimaestro/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

Custom headers by service labels for docker backends

Browse source
This commit is contained in:
Tiscs Sun 2017-12-07 05:26:03 +08:00 committed by Traefiker
parent 260ee980e0
commit c66d9de759
7 changed files with 169 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
autogen/gentemplates/gen.go
View file

@ -187,6 +187,18 @@ var _templatesDockerTmpl = []byte(`{{$backendServers := .Servers}}
{{end}}]
[frontends."frontend-{{getServiceBackend $container $serviceName}}".routes."service-{{$serviceName | replace "/" "" | replace "." "-"}}"]
rule = "{{getServiceFrontendRule $container $serviceName}}"
{{if hasServiceRequestHeaders $container $serviceName}}
[frontends."frontend-{{getServiceBackend $container $serviceName}}".headers.customrequestheaders]
{{range $k, $v := getServiceRequestHeaders $container $serviceName}}
{{$k}} = "{{$v}}"
{{end}}
{{end}}
{{if hasServiceResponseHeaders $container $serviceName}}
[frontends."frontend-{{getServiceBackend $container $serviceName}}".headers.customresponseheaders]
{{range $k, $v := getServiceResponseHeaders $container $serviceName}}
{{$k}} = "{{$v}}"
{{end}}
{{end}}
{{end}}
{{else}}
[frontends."frontend-{{$frontend}}"]

24
docs/configuration/backends/docker.md
View file

@ -215,6 +215,30 @@ Services labels can be used for overriding default behaviour
| `traefik.<service-name>.frontend.rule` | Overrides `traefik.frontend.rule`. |
| `traefik.<service-name>.frontend.redirect` | Overrides `traefik.frontend.redirect`. |
#### Security Headers
| Label | Description |
|-------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `traefik.<service-name>.frontend.headers.allowedHosts=EXPR` | Provides a list of allowed hosts that requests will be processed. Format: `Host1,Host2` |
| `traefik.<service-name>.frontend.headers.customRequestHeaders=EXPR ` | Provides the container with custom request headers that will be appended to each request forwarded to the container. Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code> |
| `traefik.<service-name>.frontend.headers.customResponseHeaders=EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client. Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code> |
| `traefik.<service-name>.frontend.headers.hostsProxyHeaders=EXPR ` | Provides a list of headers that the proxied hostname may be stored. Format: `HEADER1,HEADER2` |
| `traefik.<service-name>.frontend.headers.SSLRedirect=true` | Forces the frontend to redirect to SSL if a non-SSL request is sent. |
| `traefik.<service-name>.frontend.headers.SSLTemporaryRedirect=true` | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301. |
| `traefik.<service-name>.frontend.headers.SSLHost=HOST` | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request. |
| `traefik.<service-name>.frontend.headers.SSLProxyHeaders=EXPR` | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`). Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code> |
| `traefik.<service-name>.frontend.headers.STSSeconds=315360000` | Sets the max-age of the STS header. |
| `traefik.<service-name>.frontend.headers.STSIncludeSubdomains=true` | Adds the `IncludeSubdomains` section of the STS header. |
| `traefik.<service-name>.frontend.headers.STSPreload=true` | Adds the preload flag to the STS header. |
| `traefik.<service-name>.frontend.headers.forceSTSHeader=false` | Adds the STS header to non-SSL requests. |
| `traefik.<service-name>.frontend.headers.frameDeny=false` | Adds the `X-Frame-Options` header with the value of `DENY`. |
| `traefik.<service-name>.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value. |
| `traefik.<service-name>.frontend.headers.contentTypeNosniff=true` | Adds the `X-Content-Type-Options` header with the value `nosniff`. |
| `traefik.<service-name>.frontend.headers.browserXSSFilter=true` | Adds the X-XSS-Protection header with the value `1; mode=block`. |
| `traefik.<service-name>.frontend.headers.contentSecurityPolicy=VALUE` | Adds CSP Header with the custom value. |
| `traefik.<service-name>.frontend.headers.publicKey=VALUE` | Adds pinned HTST public key header. |
| `traefik.<service-name>.frontend.headers.referrerPolicy=VALUE` | Adds referrer policy header. |
| `traefik.<service-name>.frontend.headers.isDevelopment=false` | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
!!! note
if a label is defined both as a `container label` and a `service label` (for example `traefik.<service-name>.port=PORT` and `traefik.port=PORT` ), the `service label` is used to defined the `<service-name>` property (`port` in the example).

24
provider/docker/config.go
View file

@ -81,16 +81,20 @@ func (p *Provider) buildConfiguration(containersInspected []dockerData) *types.C
"hasIsDevelopmentHeaders": hasFunc(label.TraefikFrontendIsDevelopment),
"getIsDevelopmentHeaders": getFuncBoolLabel(label.TraefikFrontendIsDevelopment, false),
"hasServices": hasServices,
"getServiceNames": getServiceNames,
"getServicePort": getServicePort,
"getServiceWeight": getFuncServiceStringLabel(label.SuffixWeight, label.DefaultWeight),
"getServiceProtocol": getFuncServiceStringLabel(label.SuffixProtocol, label.DefaultProtocol),
"getServiceEntryPoints": getFuncServiceSliceStringLabel(label.SuffixFrontendEntryPoints),
"getServiceBasicAuth": getFuncServiceSliceStringLabel(label.SuffixFrontendAuthBasic),
"getServiceFrontendRule": p.getServiceFrontendRule,
"getServicePassHostHeader": getFuncServiceStringLabel(label.SuffixFrontendPassHostHeader, label.DefaultPassHostHeader),
"getServicePriority": getFuncServiceStringLabel(label.SuffixFrontendPriority, label.DefaultFrontendPriority),
"hasServices": hasServices,
"getServiceNames": getServiceNames,
"getServicePort": getServicePort,
"hasServiceRequestHeaders": hasFuncServiceLabel(label.SuffixFrontendRequestHeaders),
"getServiceRequestHeaders": getFuncServiceMapLabel(label.SuffixFrontendRequestHeaders),
"hasServiceResponseHeaders": hasFuncServiceLabel(label.SuffixFrontendResponseHeaders),
"getServiceResponseHeaders": getFuncServiceMapLabel(label.SuffixFrontendResponseHeaders),
"getServiceWeight": getFuncServiceStringLabel(label.SuffixWeight, label.DefaultWeight),
"getServiceProtocol": getFuncServiceStringLabel(label.SuffixProtocol, label.DefaultProtocol),
"getServiceEntryPoints": getFuncServiceSliceStringLabel(label.SuffixFrontendEntryPoints),
"getServiceBasicAuth": getFuncServiceSliceStringLabel(label.SuffixFrontendAuthBasic),
"getServiceFrontendRule": p.getServiceFrontendRule,
"getServicePassHostHeader": getFuncServiceStringLabel(label.SuffixFrontendPassHostHeader, label.DefaultPassHostHeader),
"getServicePriority": getFuncServiceStringLabel(label.SuffixFrontendPriority, label.DefaultFrontendPriority),
}
// filter containers
filteredContainers := fun.Filter(func(container dockerData) bool {

14
provider/docker/config_service.go
View file

@ -88,6 +88,12 @@ func getServicePort(container dockerData, serviceName string) string {
// Service label functions
func getFuncServiceMapLabel(labelSuffix string) func(container dockerData, serviceName string) map[string]string {
return func(container dockerData, serviceName string) map[string]string {
return getServiceMapLabel(container, serviceName, labelSuffix)
}
}
func getFuncServiceSliceStringLabel(labelSuffix string) func(container dockerData, serviceName string) []string {
return func(container dockerData, serviceName string) []string {
return getServiceSliceStringLabel(container, serviceName, labelSuffix)
@ -114,6 +120,14 @@ func hasServiceLabel(container dockerData, serviceName string, labelSuffix strin
return label.Has(container.Labels, label.Prefix+labelSuffix)
}
func getServiceMapLabel(container dockerData, serviceName string, labelSuffix string) map[string]string {
if value, ok := getServiceLabels(container, serviceName)[labelSuffix]; ok {
lblName := label.GetServiceLabel(labelSuffix, serviceName)
return label.ParseMapValue(lblName, value)
}
return label.GetMapValue(container.Labels, label.Prefix+labelSuffix)
}
func getServiceSliceStringLabel(container dockerData, serviceName string, labelSuffix string) []string {
if value, ok := getServiceLabels(container, serviceName)[labelSuffix]; ok {
return label.SplitAndTrimString(value, ",")

72
provider/docker/config_service_test.go
View file

@ -7,8 +7,80 @@ import (
"github.com/containous/traefik/provider/label"
docker "github.com/docker/docker/api/types"
"github.com/stretchr/testify/assert"
)
func TestDockerGetFuncMapLabel(t *testing.T) {
serviceName := "myservice"
fakeSuffix := "frontend.foo"
fakeLabel := label.Prefix + fakeSuffix
testCases := []struct {
desc string
container docker.ContainerJSON
suffixLabel string
expectedKey string
expected map[string]string
}{
{
desc: "fallback to container label value",
container: containerJSON(labels(map[string]string{
fakeLabel: "X-Custom-Header: ContainerRequestHeader",
})),
suffixLabel: fakeSuffix,
expected: map[string]string{
"X-Custom-Header": "ContainerRequestHeader",
},
},
{
desc: "use service label instead of container label",
container: containerJSON(labels(map[string]string{
fakeLabel: "X-Custom-Header: ContainerRequestHeader",
label.GetServiceLabel(fakeLabel, serviceName): "X-Custom-Header: ServiceRequestHeader",
})),
suffixLabel: fakeSuffix,
expected: map[string]string{
"X-Custom-Header": "ServiceRequestHeader",
},
},
{
desc: "use service label with an empty value instead of container label",
container: containerJSON(labels(map[string]string{
fakeLabel: "X-Custom-Header: ContainerRequestHeader",
label.GetServiceLabel(fakeLabel, serviceName): "X-Custom-Header: ",
})),
suffixLabel: fakeSuffix,
expected: map[string]string{
"X-Custom-Header": "",
},
},
{
desc: "multiple values",
container: containerJSON(labels(map[string]string{
fakeLabel: "X-Custom-Header: MultiHeaders || Authorization: Basic YWRtaW46YWRtaW4=",
})),
suffixLabel: fakeSuffix,
expected: map[string]string{
"X-Custom-Header": "MultiHeaders",
"Authorization": "Basic YWRtaW46YWRtaW4=",
},
},
}
for _, test := range testCases {
test := test
t.Run(test.desc, func(t *testing.T) {
t.Parallel()
dData := parseContainer(test.container)
values := getFuncServiceMapLabel(test.suffixLabel)(dData, serviceName)
assert.EqualValues(t, test.expected, values)
})
}
}
func TestDockerGetFuncServiceStringLabel(t *testing.T) {
testCases := []struct {
container docker.ContainerJSON

37
provider/label/label.go
View file

@ -134,6 +134,26 @@ func GetSliceStringValueP(labels *map[string]string, labelName string) []string
return GetSliceStringValue(*labels, labelName)
}
// ParseMapValue get Map value for a label value
func ParseMapValue(labelName, values string) map[string]string {
mapValue := make(map[string]string)
for _, parts := range strings.Split(values, mapEntrySeparator) {
pair := strings.SplitN(parts, mapValueSeparator, 2)
if len(pair) != 2 {
log.Warnf("Could not load %q: %q, skipping...", labelName, parts)
} else {
mapValue[http.CanonicalHeaderKey(strings.TrimSpace(pair[0]))] = strings.TrimSpace(pair[1])
}
}
if len(mapValue) == 0 {
log.Errorf("Could not load %q, skipping...", labelName)
return nil
}
return mapValue
}
// GetMapValue get Map value associated to a label
func GetMapValue(labels map[string]string, labelName string) map[string]string {
if values, ok := labels[labelName]; ok {
@ -143,22 +163,7 @@ func GetMapValue(labels map[string]string, labelName string) map[string]string {
return nil
}
mapValue := make(map[string]string)
for _, parts := range strings.Split(values, mapEntrySeparator) {
pair := strings.SplitN(parts, mapValueSeparator, 2)
if len(pair) != 2 {
log.Warnf("Could not load %q: %q, skipping...", labelName, parts)
} else {
mapValue[http.CanonicalHeaderKey(strings.TrimSpace(pair[0]))] = strings.TrimSpace(pair[1])
}
}
if len(mapValue) == 0 {
log.Errorf("Could not load %q, skipping...", labelName)
return nil
}
return mapValue
return ParseMapValue(labelName, values)
}
return nil

12
templates/docker.tmpl
View file

@ -62,6 +62,18 @@
{{end}}]
[frontends."frontend-{{getServiceBackend $container $serviceName}}".routes."service-{{$serviceName | replace "/" "" | replace "." "-"}}"]
rule = "{{getServiceFrontendRule $container $serviceName}}"
{{if hasServiceRequestHeaders $container $serviceName}}
[frontends."frontend-{{getServiceBackend $container $serviceName}}".headers.customrequestheaders]
{{range $k, $v := getServiceRequestHeaders $container $serviceName}}
{{$k}} = "{{$v}}"
{{end}}
{{end}}
{{if hasServiceResponseHeaders $container $serviceName}}
[frontends."frontend-{{getServiceBackend $container $serviceName}}".headers.customresponseheaders]
{{range $k, $v := getServiceResponseHeaders $container $serviceName}}
{{$k}} = "{{$v}}"
{{end}}
{{end}}
{{end}}
{{else}}
[frontends."frontend-{{$frontend}}"]