Custom headers by service labels for docker backends
This commit is contained in:
parent
260ee980e0
commit
c66d9de759
7 changed files with 169 additions and 26 deletions
|
@ -187,6 +187,18 @@ var _templatesDockerTmpl = []byte(`{{$backendServers := .Servers}}
|
||||||
{{end}}]
|
{{end}}]
|
||||||
[frontends."frontend-{{getServiceBackend $container $serviceName}}".routes."service-{{$serviceName | replace "/" "" | replace "." "-"}}"]
|
[frontends."frontend-{{getServiceBackend $container $serviceName}}".routes."service-{{$serviceName | replace "/" "" | replace "." "-"}}"]
|
||||||
rule = "{{getServiceFrontendRule $container $serviceName}}"
|
rule = "{{getServiceFrontendRule $container $serviceName}}"
|
||||||
|
{{if hasServiceRequestHeaders $container $serviceName}}
|
||||||
|
[frontends."frontend-{{getServiceBackend $container $serviceName}}".headers.customrequestheaders]
|
||||||
|
{{range $k, $v := getServiceRequestHeaders $container $serviceName}}
|
||||||
|
{{$k}} = "{{$v}}"
|
||||||
|
{{end}}
|
||||||
|
{{end}}
|
||||||
|
{{if hasServiceResponseHeaders $container $serviceName}}
|
||||||
|
[frontends."frontend-{{getServiceBackend $container $serviceName}}".headers.customresponseheaders]
|
||||||
|
{{range $k, $v := getServiceResponseHeaders $container $serviceName}}
|
||||||
|
{{$k}} = "{{$v}}"
|
||||||
|
{{end}}
|
||||||
|
{{end}}
|
||||||
{{end}}
|
{{end}}
|
||||||
{{else}}
|
{{else}}
|
||||||
[frontends."frontend-{{$frontend}}"]
|
[frontends."frontend-{{$frontend}}"]
|
||||||
|
|
|
@ -215,6 +215,30 @@ Services labels can be used for overriding default behaviour
|
||||||
| `traefik.<service-name>.frontend.rule` | Overrides `traefik.frontend.rule`. |
|
| `traefik.<service-name>.frontend.rule` | Overrides `traefik.frontend.rule`. |
|
||||||
| `traefik.<service-name>.frontend.redirect` | Overrides `traefik.frontend.redirect`. |
|
| `traefik.<service-name>.frontend.redirect` | Overrides `traefik.frontend.redirect`. |
|
||||||
|
|
||||||
|
#### Security Headers
|
||||||
|
|
||||||
|
| Label | Description |
|
||||||
|
|-------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||||
|
| `traefik.<service-name>.frontend.headers.allowedHosts=EXPR` | Provides a list of allowed hosts that requests will be processed. Format: `Host1,Host2` |
|
||||||
|
| `traefik.<service-name>.frontend.headers.customRequestHeaders=EXPR ` | Provides the container with custom request headers that will be appended to each request forwarded to the container. Format: <code>HEADER:value||HEADER2:value2</code> |
|
||||||
|
| `traefik.<service-name>.frontend.headers.customResponseHeaders=EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client. Format: <code>HEADER:value||HEADER2:value2</code> |
|
||||||
|
| `traefik.<service-name>.frontend.headers.hostsProxyHeaders=EXPR ` | Provides a list of headers that the proxied hostname may be stored. Format: `HEADER1,HEADER2` |
|
||||||
|
| `traefik.<service-name>.frontend.headers.SSLRedirect=true` | Forces the frontend to redirect to SSL if a non-SSL request is sent. |
|
||||||
|
| `traefik.<service-name>.frontend.headers.SSLTemporaryRedirect=true` | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301. |
|
||||||
|
| `traefik.<service-name>.frontend.headers.SSLHost=HOST` | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request. |
|
||||||
|
| `traefik.<service-name>.frontend.headers.SSLProxyHeaders=EXPR` | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`). Format: <code>HEADER:value||HEADER2:value2</code> |
|
||||||
|
| `traefik.<service-name>.frontend.headers.STSSeconds=315360000` | Sets the max-age of the STS header. |
|
||||||
|
| `traefik.<service-name>.frontend.headers.STSIncludeSubdomains=true` | Adds the `IncludeSubdomains` section of the STS header. |
|
||||||
|
| `traefik.<service-name>.frontend.headers.STSPreload=true` | Adds the preload flag to the STS header. |
|
||||||
|
| `traefik.<service-name>.frontend.headers.forceSTSHeader=false` | Adds the STS header to non-SSL requests. |
|
||||||
|
| `traefik.<service-name>.frontend.headers.frameDeny=false` | Adds the `X-Frame-Options` header with the value of `DENY`. |
|
||||||
|
| `traefik.<service-name>.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value. |
|
||||||
|
| `traefik.<service-name>.frontend.headers.contentTypeNosniff=true` | Adds the `X-Content-Type-Options` header with the value `nosniff`. |
|
||||||
|
| `traefik.<service-name>.frontend.headers.browserXSSFilter=true` | Adds the X-XSS-Protection header with the value `1; mode=block`. |
|
||||||
|
| `traefik.<service-name>.frontend.headers.contentSecurityPolicy=VALUE` | Adds CSP Header with the custom value. |
|
||||||
|
| `traefik.<service-name>.frontend.headers.publicKey=VALUE` | Adds pinned HTST public key header. |
|
||||||
|
| `traefik.<service-name>.frontend.headers.referrerPolicy=VALUE` | Adds referrer policy header. |
|
||||||
|
| `traefik.<service-name>.frontend.headers.isDevelopment=false` | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
|
||||||
|
|
||||||
!!! note
|
!!! note
|
||||||
if a label is defined both as a `container label` and a `service label` (for example `traefik.<service-name>.port=PORT` and `traefik.port=PORT` ), the `service label` is used to defined the `<service-name>` property (`port` in the example).
|
if a label is defined both as a `container label` and a `service label` (for example `traefik.<service-name>.port=PORT` and `traefik.port=PORT` ), the `service label` is used to defined the `<service-name>` property (`port` in the example).
|
||||||
|
|
|
@ -84,6 +84,10 @@ func (p *Provider) buildConfiguration(containersInspected []dockerData) *types.C
|
||||||
"hasServices": hasServices,
|
"hasServices": hasServices,
|
||||||
"getServiceNames": getServiceNames,
|
"getServiceNames": getServiceNames,
|
||||||
"getServicePort": getServicePort,
|
"getServicePort": getServicePort,
|
||||||
|
"hasServiceRequestHeaders": hasFuncServiceLabel(label.SuffixFrontendRequestHeaders),
|
||||||
|
"getServiceRequestHeaders": getFuncServiceMapLabel(label.SuffixFrontendRequestHeaders),
|
||||||
|
"hasServiceResponseHeaders": hasFuncServiceLabel(label.SuffixFrontendResponseHeaders),
|
||||||
|
"getServiceResponseHeaders": getFuncServiceMapLabel(label.SuffixFrontendResponseHeaders),
|
||||||
"getServiceWeight": getFuncServiceStringLabel(label.SuffixWeight, label.DefaultWeight),
|
"getServiceWeight": getFuncServiceStringLabel(label.SuffixWeight, label.DefaultWeight),
|
||||||
"getServiceProtocol": getFuncServiceStringLabel(label.SuffixProtocol, label.DefaultProtocol),
|
"getServiceProtocol": getFuncServiceStringLabel(label.SuffixProtocol, label.DefaultProtocol),
|
||||||
"getServiceEntryPoints": getFuncServiceSliceStringLabel(label.SuffixFrontendEntryPoints),
|
"getServiceEntryPoints": getFuncServiceSliceStringLabel(label.SuffixFrontendEntryPoints),
|
||||||
|
|
|
@ -88,6 +88,12 @@ func getServicePort(container dockerData, serviceName string) string {
|
||||||
|
|
||||||
// Service label functions
|
// Service label functions
|
||||||
|
|
||||||
|
func getFuncServiceMapLabel(labelSuffix string) func(container dockerData, serviceName string) map[string]string {
|
||||||
|
return func(container dockerData, serviceName string) map[string]string {
|
||||||
|
return getServiceMapLabel(container, serviceName, labelSuffix)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func getFuncServiceSliceStringLabel(labelSuffix string) func(container dockerData, serviceName string) []string {
|
func getFuncServiceSliceStringLabel(labelSuffix string) func(container dockerData, serviceName string) []string {
|
||||||
return func(container dockerData, serviceName string) []string {
|
return func(container dockerData, serviceName string) []string {
|
||||||
return getServiceSliceStringLabel(container, serviceName, labelSuffix)
|
return getServiceSliceStringLabel(container, serviceName, labelSuffix)
|
||||||
|
@ -114,6 +120,14 @@ func hasServiceLabel(container dockerData, serviceName string, labelSuffix strin
|
||||||
return label.Has(container.Labels, label.Prefix+labelSuffix)
|
return label.Has(container.Labels, label.Prefix+labelSuffix)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func getServiceMapLabel(container dockerData, serviceName string, labelSuffix string) map[string]string {
|
||||||
|
if value, ok := getServiceLabels(container, serviceName)[labelSuffix]; ok {
|
||||||
|
lblName := label.GetServiceLabel(labelSuffix, serviceName)
|
||||||
|
return label.ParseMapValue(lblName, value)
|
||||||
|
}
|
||||||
|
return label.GetMapValue(container.Labels, label.Prefix+labelSuffix)
|
||||||
|
}
|
||||||
|
|
||||||
func getServiceSliceStringLabel(container dockerData, serviceName string, labelSuffix string) []string {
|
func getServiceSliceStringLabel(container dockerData, serviceName string, labelSuffix string) []string {
|
||||||
if value, ok := getServiceLabels(container, serviceName)[labelSuffix]; ok {
|
if value, ok := getServiceLabels(container, serviceName)[labelSuffix]; ok {
|
||||||
return label.SplitAndTrimString(value, ",")
|
return label.SplitAndTrimString(value, ",")
|
||||||
|
|
|
@ -7,8 +7,80 @@ import (
|
||||||
|
|
||||||
"github.com/containous/traefik/provider/label"
|
"github.com/containous/traefik/provider/label"
|
||||||
docker "github.com/docker/docker/api/types"
|
docker "github.com/docker/docker/api/types"
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
func TestDockerGetFuncMapLabel(t *testing.T) {
|
||||||
|
serviceName := "myservice"
|
||||||
|
fakeSuffix := "frontend.foo"
|
||||||
|
fakeLabel := label.Prefix + fakeSuffix
|
||||||
|
|
||||||
|
testCases := []struct {
|
||||||
|
desc string
|
||||||
|
container docker.ContainerJSON
|
||||||
|
suffixLabel string
|
||||||
|
expectedKey string
|
||||||
|
expected map[string]string
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
desc: "fallback to container label value",
|
||||||
|
container: containerJSON(labels(map[string]string{
|
||||||
|
fakeLabel: "X-Custom-Header: ContainerRequestHeader",
|
||||||
|
})),
|
||||||
|
suffixLabel: fakeSuffix,
|
||||||
|
expected: map[string]string{
|
||||||
|
"X-Custom-Header": "ContainerRequestHeader",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
desc: "use service label instead of container label",
|
||||||
|
container: containerJSON(labels(map[string]string{
|
||||||
|
fakeLabel: "X-Custom-Header: ContainerRequestHeader",
|
||||||
|
label.GetServiceLabel(fakeLabel, serviceName): "X-Custom-Header: ServiceRequestHeader",
|
||||||
|
})),
|
||||||
|
suffixLabel: fakeSuffix,
|
||||||
|
expected: map[string]string{
|
||||||
|
"X-Custom-Header": "ServiceRequestHeader",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
desc: "use service label with an empty value instead of container label",
|
||||||
|
container: containerJSON(labels(map[string]string{
|
||||||
|
fakeLabel: "X-Custom-Header: ContainerRequestHeader",
|
||||||
|
label.GetServiceLabel(fakeLabel, serviceName): "X-Custom-Header: ",
|
||||||
|
})),
|
||||||
|
suffixLabel: fakeSuffix,
|
||||||
|
expected: map[string]string{
|
||||||
|
"X-Custom-Header": "",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
desc: "multiple values",
|
||||||
|
container: containerJSON(labels(map[string]string{
|
||||||
|
fakeLabel: "X-Custom-Header: MultiHeaders || Authorization: Basic YWRtaW46YWRtaW4=",
|
||||||
|
})),
|
||||||
|
suffixLabel: fakeSuffix,
|
||||||
|
expected: map[string]string{
|
||||||
|
"X-Custom-Header": "MultiHeaders",
|
||||||
|
"Authorization": "Basic YWRtaW46YWRtaW4=",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, test := range testCases {
|
||||||
|
test := test
|
||||||
|
t.Run(test.desc, func(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
|
||||||
|
dData := parseContainer(test.container)
|
||||||
|
|
||||||
|
values := getFuncServiceMapLabel(test.suffixLabel)(dData, serviceName)
|
||||||
|
|
||||||
|
assert.EqualValues(t, test.expected, values)
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func TestDockerGetFuncServiceStringLabel(t *testing.T) {
|
func TestDockerGetFuncServiceStringLabel(t *testing.T) {
|
||||||
testCases := []struct {
|
testCases := []struct {
|
||||||
container docker.ContainerJSON
|
container docker.ContainerJSON
|
||||||
|
|
|
@ -134,15 +134,8 @@ func GetSliceStringValueP(labels *map[string]string, labelName string) []string
|
||||||
return GetSliceStringValue(*labels, labelName)
|
return GetSliceStringValue(*labels, labelName)
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetMapValue get Map value associated to a label
|
// ParseMapValue get Map value for a label value
|
||||||
func GetMapValue(labels map[string]string, labelName string) map[string]string {
|
func ParseMapValue(labelName, values string) map[string]string {
|
||||||
if values, ok := labels[labelName]; ok {
|
|
||||||
|
|
||||||
if len(values) == 0 {
|
|
||||||
log.Errorf("Missing value for %q, skipping...", labelName)
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
mapValue := make(map[string]string)
|
mapValue := make(map[string]string)
|
||||||
|
|
||||||
for _, parts := range strings.Split(values, mapEntrySeparator) {
|
for _, parts := range strings.Split(values, mapEntrySeparator) {
|
||||||
|
@ -159,6 +152,18 @@ func GetMapValue(labels map[string]string, labelName string) map[string]string {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
return mapValue
|
return mapValue
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetMapValue get Map value associated to a label
|
||||||
|
func GetMapValue(labels map[string]string, labelName string) map[string]string {
|
||||||
|
if values, ok := labels[labelName]; ok {
|
||||||
|
|
||||||
|
if len(values) == 0 {
|
||||||
|
log.Errorf("Missing value for %q, skipping...", labelName)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return ParseMapValue(labelName, values)
|
||||||
}
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
|
|
|
@ -62,6 +62,18 @@
|
||||||
{{end}}]
|
{{end}}]
|
||||||
[frontends."frontend-{{getServiceBackend $container $serviceName}}".routes."service-{{$serviceName | replace "/" "" | replace "." "-"}}"]
|
[frontends."frontend-{{getServiceBackend $container $serviceName}}".routes."service-{{$serviceName | replace "/" "" | replace "." "-"}}"]
|
||||||
rule = "{{getServiceFrontendRule $container $serviceName}}"
|
rule = "{{getServiceFrontendRule $container $serviceName}}"
|
||||||
|
{{if hasServiceRequestHeaders $container $serviceName}}
|
||||||
|
[frontends."frontend-{{getServiceBackend $container $serviceName}}".headers.customrequestheaders]
|
||||||
|
{{range $k, $v := getServiceRequestHeaders $container $serviceName}}
|
||||||
|
{{$k}} = "{{$v}}"
|
||||||
|
{{end}}
|
||||||
|
{{end}}
|
||||||
|
{{if hasServiceResponseHeaders $container $serviceName}}
|
||||||
|
[frontends."frontend-{{getServiceBackend $container $serviceName}}".headers.customresponseheaders]
|
||||||
|
{{range $k, $v := getServiceResponseHeaders $container $serviceName}}
|
||||||
|
{{$k}} = "{{$v}}"
|
||||||
|
{{end}}
|
||||||
|
{{end}}
|
||||||
{{end}}
|
{{end}}
|
||||||
{{else}}
|
{{else}}
|
||||||
[frontends."frontend-{{$frontend}}"]
|
[frontends."frontend-{{$frontend}}"]
|
||||||
|
|
Loading…
Reference in a new issue