Merge current v2.9 into v3.0

This commit is contained in:
Tom Moulard 2023-01-09 16:21:45 +01:00
commit cd90b9761a
No known key found for this signature in database
GPG key ID: 521ABE0C1A0DEAF6
8 changed files with 74 additions and 13 deletions

View file

@ -11,7 +11,11 @@ Automatic HTTPS
You can configure Traefik to use an ACME provider (like Let's Encrypt) for automatic certificate generation. You can configure Traefik to use an ACME provider (like Let's Encrypt) for automatic certificate generation.
!!! warning "Let's Encrypt and Rate Limiting" !!! warning "Let's Encrypt and Rate Limiting"
Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits). Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits). These last up to __one week__, and can not be overridden.
When running Traefik in a container this file should be persisted across restarts.
If Traefik requests new certificates each time it starts up, a crash-looping container can quickly reach Let's Encrypt's ratelimits.
To configure where certificates are stored, please take a look at the [storage](#storage) configuration.
Use Let's Encrypt staging server with the [`caServer`](#caserver) configuration option Use Let's Encrypt staging server with the [`caServer`](#caserver) configuration option
when experimenting to avoid hitting this limit too fast. when experimenting to avoid hitting this limit too fast.

View file

@ -95,7 +95,7 @@ and [Docker Swarm Mode](https://docs.docker.com/engine/swarm/).
## Routing Configuration ## Routing Configuration
When using Docker as a [provider](./overview.md), When using Docker as a [provider](./overview.md),
Traefik uses [container labels](https://docs.docker.com/engine/reference/commandline/run/#set-metadata-on-container--l---label---label-file) to retrieve its routing configuration. Traefik uses [container labels](https://docs.docker.com/engine/reference/commandline/run/#-set-metadata-on-container--l---label---label-file) to retrieve its routing configuration.
See the list of labels in the dedicated [routing](../routing/providers/docker.md) section. See the list of labels in the dedicated [routing](../routing/providers/docker.md) section.

View file

@ -888,14 +888,20 @@ TLS certificates can be managed in Secrets objects.
### Communication Between Traefik and Pods ### Communication Between Traefik and Pods
!!! info "It is not possible to route requests directly to [Kubernetes services](https://kubernetes.io/docs/concepts/services-networking/service/ "Link to Kubernetes service docs")"
You can use an `ExternalName` service to forward requests to the Kubernetes service through DNS.
For doing so, you have to [allow external name services](https://doc.traefik.io/traefik/providers/kubernetes-ingress/#allowexternalnameservices "Link to docs about allowing external name services").
Traefik automatically requests endpoint information based on the service provided in the ingress spec. Traefik automatically requests endpoint information based on the service provided in the ingress spec.
Although Traefik will connect directly to the endpoints (pods), Although Traefik will connect directly to the endpoints (pods),
it still checks the service port to see if TLS communication is required. it still checks the service port to see if TLS communication is required.
There are 3 ways to configure Traefik to use https to communicate with pods: There are 3 ways to configure Traefik to use HTTPS to communicate with pods:
1. If the service port defined in the ingress spec is `443` (note that you can still use `targetPort` to use a different port on your pod). 1. If the service port defined in the ingress spec is `443` (note that you can still use `targetPort` to use a different port on your pod).
1. If the service port defined in the ingress spec has a name that starts with https (such as `https-api`, `https-web` or just `https`). 1. If the service port defined in the ingress spec has a name that starts with `https` (such as `https-api`, `https-web` or just `https`).
1. If the service spec includes the annotation `traefik.ingress.kubernetes.io/service.serversscheme: https`. 1. If the service spec includes the annotation `traefik.ingress.kubernetes.io/service.serversscheme: https`.
If either of those configuration options exist, then the backend communication protocol is assumed to be TLS, If either of those configuration options exist, then the backend communication protocol is assumed to be TLS,

View file

@ -2,6 +2,7 @@ package integration
import ( import (
"net/http" "net/http"
"net/http/httptest"
"os" "os"
"time" "time"
@ -29,7 +30,7 @@ func (s *ErrorPagesSuite) TestSimpleConfiguration(c *check.C) {
file := s.adaptFile(c, "fixtures/error_pages/simple.toml", struct { file := s.adaptFile(c, "fixtures/error_pages/simple.toml", struct {
Server1 string Server1 string
Server2 string Server2 string
}{s.BackendIP, s.ErrorPageIP}) }{"http://" + s.BackendIP + ":80", s.ErrorPageIP})
defer os.Remove(file) defer os.Remove(file)
cmd, display := s.traefikCmd(withConfigFile(file)) cmd, display := s.traefikCmd(withConfigFile(file))
@ -67,3 +68,33 @@ func (s *ErrorPagesSuite) TestErrorPage(c *check.C) {
err = try.Request(frontendReq, 2*time.Second, try.BodyContains("An error occurred.")) err = try.Request(frontendReq, 2*time.Second, try.BodyContains("An error occurred."))
c.Assert(err, checker.IsNil) c.Assert(err, checker.IsNil)
} }
func (s *ErrorPagesSuite) TestErrorPageFlush(c *check.C) {
srv := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
rw.Header().Add("Transfer-Encoding", "chunked")
rw.WriteHeader(http.StatusInternalServerError)
_, _ = rw.Write([]byte("KO"))
}))
file := s.adaptFile(c, "fixtures/error_pages/simple.toml", struct {
Server1 string
Server2 string
}{srv.URL, s.ErrorPageIP})
defer os.Remove(file)
cmd, display := s.traefikCmd(withConfigFile(file))
defer display(c)
err := cmd.Start()
c.Assert(err, checker.IsNil)
defer s.killCmd(cmd)
frontendReq, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8080", nil)
c.Assert(err, checker.IsNil)
frontendReq.Host = "test.local"
err = try.Request(frontendReq, 2*time.Second,
try.BodyContains("An error occurred."),
try.HasHeaderValue("Content-Type", "text/html", true),
)
c.Assert(err, checker.IsNil)
}

View file

@ -31,7 +31,7 @@
[http.services.service1.loadBalancer] [http.services.service1.loadBalancer]
passHostHeader = true passHostHeader = true
[[http.services.service1.loadBalancer.servers]] [[http.services.service1.loadBalancer.servers]]
url = "http://{{.Server1}}:80" url = "{{.Server1}}"
[http.services.error.loadBalancer] [http.services.error.loadBalancer]
[[http.services.error.loadBalancer.servers]] [[http.services.error.loadBalancer.servers]]

View file

@ -209,6 +209,15 @@ func (cc *codeCatcher) Flush() {
// Otherwise, cc.code is actually a 200 here. // Otherwise, cc.code is actually a 200 here.
cc.WriteHeader(cc.code) cc.WriteHeader(cc.code)
// We don't care about the contents of the response,
// since we want to serve the ones from the error page,
// so we just don't flush.
// (e.g., To prevent superfluous WriteHeader on request with a
// `Transfert-Encoding: chunked` header).
if cc.caughtFilteredCode {
return
}
if flusher, ok := cc.responseWriter.(http.Flusher); ok { if flusher, ok := cc.responseWriter.(http.Flusher); ok {
flusher.Flush() flusher.Flush()
} }

View file

@ -81,10 +81,12 @@ func New(ctx context.Context, next http.Handler, config dynamic.RateLimit, name
period = time.Second period = time.Second
} }
// if config.Average == 0, in that case, // Initialized at rate.Inf to enforce no rate limiting when config.Average == 0
// the value of maxDelay does not matter since the reservation will (buggily) give us a delay of 0 anyway. rtl := float64(rate.Inf)
// No need to set any particular value for maxDelay as the reservation's delay
// will be <= 0 in the Inf case (i.e. the average == 0 case).
var maxDelay time.Duration var maxDelay time.Duration
var rtl float64
if config.Average > 0 { if config.Average > 0 {
rtl = float64(config.Average*int64(time.Second)) / float64(period) rtl = float64(config.Average*int64(time.Second)) / float64(period)
// maxDelay does not scale well for rates below 1, // maxDelay does not scale well for rates below 1,
@ -155,10 +157,6 @@ func (rl *rateLimiter) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
return return
} }
// time/rate is bugged, since a rate.Limiter with a 0 Limit not only allows a Reservation to take place,
// but also gives a 0 delay below (because of a division by zero, followed by a multiplication that flips into the negatives),
// regardless of the current load.
// However, for now we take advantage of this behavior to provide the no-limit ratelimiter when config.Average is 0.
res := bucket.Reserve() res := bucket.Reserve()
if !res.OK() { if !res.OK() {
http.Error(rw, "No bursty traffic allowed", http.StatusTooManyRequests) http.Error(rw, "No bursty traffic allowed", http.StatusTooManyRequests)

View file

@ -15,6 +15,7 @@ import (
"github.com/traefik/traefik/v2/pkg/config/dynamic" "github.com/traefik/traefik/v2/pkg/config/dynamic"
"github.com/traefik/traefik/v2/pkg/testhelpers" "github.com/traefik/traefik/v2/pkg/testhelpers"
"github.com/vulcand/oxy/v2/utils" "github.com/vulcand/oxy/v2/utils"
"golang.org/x/time/rate"
) )
func TestNewRateLimiter(t *testing.T) { func TestNewRateLimiter(t *testing.T) {
@ -25,7 +26,16 @@ func TestNewRateLimiter(t *testing.T) {
expectedSourceIP string expectedSourceIP string
requestHeader string requestHeader string
expectedError string expectedError string
expectedRTL rate.Limit
}{ }{
{
desc: "no ratelimit on Average == 0",
config: dynamic.RateLimit{
Average: 0,
Burst: 10,
},
expectedRTL: rate.Inf,
},
{ {
desc: "maxDelay computation", desc: "maxDelay computation",
config: dynamic.RateLimit{ config: dynamic.RateLimit{
@ -120,6 +130,9 @@ func TestNewRateLimiter(t *testing.T) {
assert.NoError(t, err) assert.NoError(t, err)
assert.Equal(t, test.requestHeader, hd) assert.Equal(t, test.requestHeader, hd)
} }
if test.expectedRTL != 0 {
assert.Equal(t, test.expectedRTL, rtl.rate)
}
}) })
} }
} }