baalajimaestro/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

Merge github.com:traefik/traefik

Browse source
This commit is contained in:
baalajimaestro 2022-11-05 19:21:44 +05:30
commit f6ee1b343a
Signed by: baalajimaestro
GPG key ID: F93C394FE9BBAFD5
95 changed files with 1075 additions and 638 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/build.yaml vendored
View file

@ -56,7 +56,7 @@ jobs:
fetch-depth: 0
- name: Cache Go modules
uses: actions/cache@v2
uses: actions/cache@v3
with:
path: |
~/go/pkg/mod

2
.github/workflows/test-unit.yaml vendored
View file

@ -31,7 +31,7 @@ jobs:
fetch-depth: 0
- name: Cache Go modules
uses: actions/cache@v2
uses: actions/cache@v3
with:
path: |
~/go/pkg/mod

4
.github/workflows/validate.yaml vendored
View file

@ -33,7 +33,7 @@ jobs:
fetch-depth: 0
- name: Cache Go modules
uses: actions/cache@v2
uses: actions/cache@v3
with:
path: |
~/go/pkg/mod
@ -73,7 +73,7 @@ jobs:
fetch-depth: 0
- name: Cache Go modules
uses: actions/cache@v2
uses: actions/cache@v3
with:
path: |
~/go/pkg/mod

1
.golangci.yml
View file

@ -75,7 +75,6 @@ linters-settings:
- github.com/mailgun/minheap
- github.com/mailgun/multibuf
- github.com/jaguilar/vt100
- github.com/BurntSushi/toml
linters:
enable-all: true

11
.goreleaser.yml
View file

@ -22,22 +22,23 @@ builds:
- openbsd
goarch:
- amd64
- 386
- '386'
- arm
- arm64
- ppc64le
- s390x
goarm:
- 7
- 6
- 5
- '7'
- '6'
ignore:
- goos: darwin
goarch: 386
goarch: '386'
- goos: openbsd
goarch: arm
- goos: openbsd
goarch: arm64
- goos: freebsd
goarch: arm
- goos: freebsd
goarch: arm64
- goos: windows

26
CHANGELOG.md
View file

@ -1,3 +1,29 @@
## [v2.9.4](https://github.com/traefik/traefik/tree/v2.9.4) (2022-10-27)
[All Commits](https://github.com/traefik/traefik/compare/v2.9.1...v2.9.4)
**Bug fixes:**
- **[acme]** Update go-acme/lego to v4.9.0 ([#9413](https://github.com/traefik/traefik/pull/9413) by [tony-defa](https://github.com/tony-defa))
- **[kv,redis]** Fix Redis configuration type ([#9435](https://github.com/traefik/traefik/pull/9435) by [ldez](https://github.com/ldez))
- **[logs,middleware,metrics]** Handle capture on redefined http.responseWriters ([#9440](https://github.com/traefik/traefik/pull/9440) by [rtribotte](https://github.com/rtribotte))
- **[middleware,k8s]** Remove raw cert escape in PassTLSClientCert middleware ([#9412](https://github.com/traefik/traefik/pull/9412) by [rtribotte](https://github.com/rtribotte))
- **[plugins]** Update Yaegi to v0.14.3 ([#9468](https://github.com/traefik/traefik/pull/9468) by [ldez](https://github.com/ldez))
- Remove side effect on default transport tests ([#9460](https://github.com/traefik/traefik/pull/9460) by [sdelicata](https://github.com/sdelicata))
**Documentation:**
- **[k8s]** Fix links to gateway API guides ([#9445](https://github.com/traefik/traefik/pull/9445) by [kevinpollet](https://github.com/kevinpollet))
- Simplify dashboard rule example ([#9454](https://github.com/traefik/traefik/pull/9454) by [sosoba](https://github.com/sosoba))
- Add v2.9 to release page ([#9438](https://github.com/traefik/traefik/pull/9438) by [kevinpollet](https://github.com/kevinpollet))
## [v2.9.3](https://github.com/traefik/traefik/tree/v2.9.3) (2022-10-27)
[All Commits](https://github.com/traefik/traefik/compare/v2.9.1...v2.9.3)
Release canceled.
## [v2.9.2](https://github.com/traefik/traefik/tree/v2.9.2) (2022-10-27)
[All Commits](https://github.com/traefik/traefik/compare/v2.9.1...v2.9.2)
Release canceled.
## [v2.9.1](https://github.com/traefik/traefik/tree/v2.9.1) (2022-10-03)
[All Commits](https://github.com/traefik/traefik/compare/v2.9.0-rc1...v2.9.1)

2
Makefile
View file

@ -189,7 +189,7 @@ generate-genconf:
.PHONY: release-packages
release-packages: generate-webui build-dev-image
rm -rf dist
$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) goreleaser release --skip-publish --timeout="90m"
$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) goreleaser release --skip-publish -p 4 --timeout="90m"
$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) tar cfz dist/traefik-${VERSION}.src.tar.gz \
--exclude-vcs \
--exclude .idea \

11
cmd/traefik/traefik.go
View file

@ -32,7 +32,6 @@ import (
"github.com/traefik/traefik/v2/pkg/log"
"github.com/traefik/traefik/v2/pkg/metrics"
"github.com/traefik/traefik/v2/pkg/middlewares/accesslog"
"github.com/traefik/traefik/v2/pkg/middlewares/capture"
"github.com/traefik/traefik/v2/pkg/provider/acme"
"github.com/traefik/traefik/v2/pkg/provider/aggregator"
"github.com/traefik/traefik/v2/pkg/provider/hub"
@ -287,9 +286,8 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
accessLog := setupAccessLog(staticConfiguration.AccessLog)
tracer := setupTracing(staticConfiguration.Tracing)
captureMiddleware := setupCapture(staticConfiguration)
chainBuilder := middleware.NewChainBuilder(metricsRegistry, accessLog, tracer, captureMiddleware)
chainBuilder := middleware.NewChainBuilder(metricsRegistry, accessLog, tracer)
routerFactory := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, chainBuilder, pluginBuilder, metricsRegistry)
// Watcher
@ -638,13 +636,6 @@ func setupTracing(conf *static.Tracing) *tracing.Tracing {
return tracer
}
func setupCapture(staticConfiguration *static.Configuration) *capture.Handler {
if staticConfiguration.AccessLog == nil && staticConfiguration.Metrics == nil {
return nil
}
return &capture.Handler{}
}
func configureLogging(staticConfiguration *static.Configuration) {
// configure default log flags
stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)

BIN
docs/content/assets/img/middleware/ipwhitelist.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 58 KiB

16
docs/content/middlewares/http/chain.md
View file

@ -15,7 +15,7 @@ It makes reusing the same groups easier.
## Configuration Example
Below is an example of a Chain containing `WhiteList`, `BasicAuth`, and `RedirectScheme`.
Below is an example of a Chain containing `AllowList`, `BasicAuth`, and `RedirectScheme`.
```yaml tab="Docker"
labels:
@ -25,7 +25,7 @@ labels:
- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
- "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
- "traefik.http.services.service1.loadbalancer.server.port=80"
```
@ -80,7 +80,7 @@ kind: Middleware
metadata:
name: known-ips
spec:
ipWhiteList:
ipAllowList:
sourceRange:
- 192.168.1.7
- 127.0.0.1/32
@ -93,7 +93,7 @@ spec:
- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
- "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
- "traefik.http.services.service1.loadbalancer.server.port=80"
```
@ -105,7 +105,7 @@ spec:
"traefik.http.middlewares.secured.chain.middlewares": "https-only,known-ips,auth-users",
"traefik.http.middlewares.auth-users.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"traefik.http.middlewares.https-only.redirectscheme.scheme": "https",
"traefik.http.middlewares.known-ips.ipwhitelist.sourceRange": "192.168.1.7,127.0.0.1/32",
"traefik.http.middlewares.known-ips.ipallowlist.sourceRange": "192.168.1.7,127.0.0.1/32",
"traefik.http.services.service1.loadbalancer.server.port": "80"
}
```
@ -118,7 +118,7 @@ labels:
- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
- "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
- "traefik.http.services.service1.loadbalancer.server.port=80"
```
@ -150,7 +150,7 @@ http:
scheme: https
known-ips:
ipWhiteList:
ipAllowList:
sourceRange:
- "192.168.1.7"
- "127.0.0.1/32"
@ -180,7 +180,7 @@ http:
[http.middlewares.https-only.redirectScheme]
scheme = "https"
[http.middlewares.known-ips.ipWhiteList]
[http.middlewares.known-ips.ipAllowList]
sourceRange = ["192.168.1.7", "127.0.0.1/32"]
[http.services]

77
docs/content/middlewares/http/grpcweb.md Normal file
View file

@ -0,0 +1,77 @@
---
title: "Traefik GrpcWeb Documentation"
description: "In Traefik Proxy's HTTP middleware, GrpcWeb converts a gRPC Web requests to HTTP/2 gRPC requests. Read the technical documentation."
---
# GrpcWeb
Converting gRPC Web requests to HTTP/2 gRPC requests.
{: .subtitle }
The GrpcWeb middleware converts gRPC Web requests to HTTP/2 gRPC requests before forwarding them to the backends.
!!! tip
Please note, that Traefik needs to communicate using gRPC with the backends (h2c or HTTP/2 over TLS).
Check out the [gRPC](../../user-guides/grpc.md) user guide for more details.
## Configuration Examples
```yaml tab="Docker"
labels:
- "traefik.http.middlewares.test-grpcweb.grpcweb.allowOrigins=*"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-grpcweb
spec:
grpcWeb:
allowOrigins:
- "*"
```
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-grpcweb.grpcWeb.allowOrigins=*"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-grpcweb.grpcweb.alloworigins": "*"
}
```
```yaml tab="Rancher"
labels:
- "traefik.http.middlewares.test-grpcweb.grpcweb.alloworigins=*"
```
```yaml tab="File (YAML)"
http:
middlewares:
test-grpcweb:
grpcWeb:
allowOrigins:
- "*"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-grpcweb.grpcWeb]
allowOrigins = ["*"]
```
## Configuration Options
### `allowOrigins`
The `allowOrigins` contains the list of allowed origins.
A wildcard origin `*` can also be configured to match all requests.
More information including how to use the settings can be found at:
- [Mozilla.org](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)
- [w3](https://fetch.spec.whatwg.org/#http-access-control-allow-origin)
- [IETF](https://tools.ietf.org/html/rfc6454#section-7.1)

90
docs/content/middlewares/http/ipwhitelist.md → docs/content/middlewares/http/ipallowlist.md
View file

@ -1,32 +1,30 @@
---
title: "Traefik HTTP Middlewares IPWhiteList"
description: "Learn how to use IPWhiteList in HTTP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
title: "Traefik HTTP Middlewares IPAllowList"
description: "Learn how to use IPAllowList in HTTP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
---
# IPWhiteList
# IPAllowList
Limiting Clients to Specific IPs
{: .subtitle }
![IpWhiteList](../../assets/img/middleware/ipwhitelist.png)
IPWhitelist accepts / refuses requests based on the client IP.
IPAllowList accepts / refuses requests based on the client IP.
## Configuration Examples
```yaml tab="Docker"
# Accepts request from defined IP
labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-ipwhitelist
name: test-ipallowlist
spec:
ipWhiteList:
ipAllowList:
sourceRange:
- 127.0.0.1/32
- 192.168.1.7
@ -34,27 +32,27 @@ spec:
```yaml tab="Consul Catalog"
# Accepts request from defined IP
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
"traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32,192.168.1.7"
}
```
```yaml tab="Rancher"
# Accepts request from defined IP
labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
```
```yaml tab="File (YAML)"
# Accepts request from defined IP
http:
middlewares:
test-ipwhitelist:
ipWhiteList:
test-ipallowlist:
ipAllowList:
sourceRange:
- "127.0.0.1/32"
- "192.168.1.7"
@ -63,7 +61,7 @@ http:
```toml tab="File (TOML)"
# Accepts request from defined IP
[http.middlewares]
[http.middlewares.test-ipwhitelist.ipWhiteList]
[http.middlewares.test-ipallowlist.ipAllowList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
```
@ -86,7 +84,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
!!! example "Examples of Depth & X-Forwarded-For"
If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting is `"12.0.0.1"` (`depth=2`).
If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used is `"12.0.0.1"` (`depth=2`).
| `X-Forwarded-For` | `depth` | clientIP |
|-----------------------------------------|---------|--------------|
@ -95,20 +93,20 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` |
```yaml tab="Docker"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
# Allowlisting Based on `X-Forwarded-For` with `depth=2`
labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
```
```yaml tab="Kubernetes"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
# Allowlisting Based on `X-Forwarded-For` with `depth=2`
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-ipwhitelist
name: test-ipallowlist
spec:
ipWhiteList:
ipAllowList:
sourceRange:
- 127.0.0.1/32
- 192.168.1.7
@ -117,31 +115,31 @@ spec:
```
```yaml tab="Consul Catalog"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
# Allowlisting Based on `X-Forwarded-For` with `depth=2`
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
"traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth": "2"
"traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32, 192.168.1.7",
"traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth": "2"
}
```
```yaml tab="Rancher"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
# Allowlisting Based on `X-Forwarded-For` with `depth=2`
labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
```
```yaml tab="File (YAML)"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
# Allowlisting Based on `X-Forwarded-For` with `depth=2`
http:
middlewares:
test-ipwhitelist:
ipWhiteList:
test-ipallowlist:
ipAllowList:
sourceRange:
- "127.0.0.1/32"
- "192.168.1.7"
@ -150,11 +148,11 @@ http:
```
```toml tab="File (TOML)"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
# Allowlisting Based on `X-Forwarded-For` with `depth=2`
[http.middlewares]
[http.middlewares.test-ipwhitelist.ipWhiteList]
[http.middlewares.test-ipallowlist.ipAllowList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
[http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
[http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
depth = 2
```
@ -177,7 +175,7 @@ http:
```yaml tab="Docker"
# Exclude from `X-Forwarded-For`
labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
```
```yaml tab="Kubernetes"
@ -185,9 +183,9 @@ labels:
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-ipwhitelist
name: test-ipallowlist
spec:
ipWhiteList:
ipAllowList:
ipStrategy:
excludedIPs:
- 127.0.0.1/32
@ -196,27 +194,27 @@ spec:
```yaml tab="Consul Catalog"
# Exclude from `X-Forwarded-For`
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
"traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
}
```
```yaml tab="Rancher"
# Exclude from `X-Forwarded-For`
labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
```
```yaml tab="File (YAML)"
# Exclude from `X-Forwarded-For`
http:
middlewares:
test-ipwhitelist:
ipWhiteList:
test-ipallowlist:
ipAllowList:
ipStrategy:
excludedIPs:
- "127.0.0.1/32"
@ -226,7 +224,7 @@ http:
```toml tab="File (TOML)"
# Exclude from `X-Forwarded-For`
[http.middlewares]
[http.middlewares.test-ipwhitelist.ipWhiteList]
[http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
[http.middlewares.test-ipallowlist.ipAllowList]
[http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
```

2
docs/content/middlewares/http/overview.md
View file

@ -142,7 +142,7 @@ http:
| [Errors](errorpages.md) | Defines custom error pages | Request Lifecycle |
| [ForwardAuth](forwardauth.md) | Delegates Authentication | Security, Authentication |
| [Headers](headers.md) | Adds / Updates headers | Security |
| [IPWhiteList](ipwhitelist.md) | Limits the allowed client IPs | Security, Request lifecycle |
| [IPAllowList](ipallowlist.md) | Limits the allowed client IPs | Security, Request lifecycle |
| [InFlightReq](inflightreq.md) | Limits the number of simultaneous connections | Security, Request lifecycle |
| [PassTLSClientCert](passtlsclientcert.md) | Adds Client Certificates in a Header | Security |
| [RateLimit](ratelimit.md) | Limits the call frequency | Security, Request lifecycle |

26
docs/content/middlewares/tcp/ipwhitelist.md → docs/content/middlewares/tcp/ipallowlist.md
View file

@ -1,30 +1,30 @@
---
title: "Traefik TCP Middlewares IPWhiteList"
description: "Learn how to use IPWhiteList in TCP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
title: "Traefik TCP Middlewares IPAllowList"
description: "Learn how to use IPAllowList in TCP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
---
# IPWhiteList
# IPAllowList
Limiting Clients to Specific IPs
{: .subtitle }
IPWhitelist accepts / refuses connections based on the client IP.
IPAllowList accepts / refuses connections based on the client IP.
## Configuration Examples
```yaml tab="Docker"
# Accepts connections from defined IP
labels:
- "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: MiddlewareTCP
metadata:
name: test-ipwhitelist
name: test-ipallowlist
spec:
ipWhiteList:
ipAllowList:
sourceRange:
- 127.0.0.1/32
- 192.168.1.7
@ -32,25 +32,25 @@ spec:
```yaml tab="Consul Catalog"
# Accepts request from defined IP
- "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
```
```json tab="Marathon"
"labels": {
"traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
"traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32,192.168.1.7"
}
```
```yaml tab="Rancher"
# Accepts request from defined IP
labels:
- "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
```
```toml tab="File (TOML)"
# Accepts request from defined IP
[tcp.middlewares]
[tcp.middlewares.test-ipwhitelist.ipWhiteList]
[tcp.middlewares.test-ipallowlist.ipAllowList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
```
@ -58,8 +58,8 @@ labels:
# Accepts request from defined IP
tcp:
middlewares:
test-ipwhitelist:
ipWhiteList:
test-ipallowlist:
ipAllowList:
sourceRange:
- "127.0.0.1/32"
- "192.168.1.7"

46
docs/content/middlewares/tcp/overview.md
View file

@ -18,10 +18,10 @@ whoami:
# A container that exposes an API to show its IP address
image: traefik/whoami
labels:
# Create a middleware named `foo-ip-whitelist`
- "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
# Apply the middleware named `foo-ip-whitelist` to the router named `router1`
- "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@docker"
# Create a middleware named `foo-ip-allowlist`
- "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
# Apply the middleware named `foo-ip-allowlist` to the router named `router1`
- "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@docker"
```
```yaml tab="Kubernetes IngressRoute"
@ -43,9 +43,9 @@ spec:
apiVersion: traefik.containo.us/v1alpha1
kind: MiddlewareTCP
metadata:
name: foo-ip-whitelist
name: foo-ip-allowlist
spec:
ipWhiteList:
ipAllowList:
sourcerange:
- 127.0.0.1/32
- 192.168.1.7
@ -60,30 +60,30 @@ spec:
routes:
# more fields...
middlewares:
- name: foo-ip-whitelist
- name: foo-ip-allowlist
```
```yaml tab="Consul Catalog"
# Create a middleware named `foo-ip-whitelist`
- "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
# Apply the middleware named `foo-ip-whitelist` to the router named `router1`
- "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@consulcatalog"
# Create a middleware named `foo-ip-allowlist`
- "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
# Apply the middleware named `foo-ip-allowlist` to the router named `router1`
- "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@consulcatalog"
```
```json tab="Marathon"
"labels": {
"traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7",
"traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@marathon"
"traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7",
"traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@marathon"
}
```
```yaml tab="Rancher"
# As a Rancher Label
labels:
# Create a middleware named `foo-ip-whitelist`
- "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
# Apply the middleware named `foo-ip-whitelist` to the router named `router1`
- "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@rancher"
# Create a middleware named `foo-ip-allowlist`
- "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
# Apply the middleware named `foo-ip-allowlist` to the router named `router1`
- "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@rancher"
```
```toml tab="File (TOML)"
@ -91,11 +91,11 @@ labels:
[tcp.routers]
[tcp.routers.router1]
service = "myService"
middlewares = ["foo-ip-whitelist"]
middlewares = ["foo-ip-allowlist"]
rule = "Host(`example.com`)"
[tcp.middlewares]
[tcp.middlewares.foo-ip-whitelist.ipWhiteList]
[tcp.middlewares.foo-ip-allowlist.ipAllowList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
[tcp.services]
@ -114,12 +114,12 @@ tcp:
router1:
service: myService
middlewares:
- "foo-ip-whitelist"
- "foo-ip-allowlist"
rule: "Host(`example.com`)"
middlewares:
foo-ip-whitelist:
ipWhiteList:
foo-ip-allowlist:
ipAllowList:
sourceRange:
- "127.0.0.1/32"
- "192.168.1.7"
@ -137,4 +137,4 @@ tcp:
| Middleware | Purpose | Area |
|-------------------------------------------|---------------------------------------------------|-----------------------------|
| [InFlightConn](inflightconn.md) | Limits the number of simultaneous connections. | Security, Request lifecycle |
| [IPWhiteList](ipwhitelist.md) | Limit the allowed client IPs. | Security, Request lifecycle |
| [IPAllowList](ipallowlist.md) | Limit the allowed client IPs. | Security, Request lifecycle |

18
docs/content/migration/v2-to-v3.md Normal file
View file

@ -0,0 +1,18 @@
---
title: "Traefik V3 Migration Documentation"
description: "Migrate from Traefik Proxy v2 to v3 and update all the necessary configurations to take advantage of all the improvements. Read the technical documentation."
---
# Migration Guide: From v2 to v3
How to Migrate from Traefik v2 to Traefik v3.
{: .subtitle }
The version 3 of Traefik introduces a number of breaking changes,
which require one to update their configuration when they migrate from v2 to v3.
The goal of this page is to recapitulate all of these changes, and in particular to give examples,
feature by feature, of how the configuration looked like in v2, and how it now looks like in v3.
## IPWhiteList
In v3, we renamed the `IPWhiteList` middleware to `IPAllowList` without changing anything to the configuration.

6
docs/content/operations/dashboard.md
View file

@ -72,7 +72,7 @@ to allow defining:
- One or more security features through [middlewares](../middlewares/overview.md)
like authentication ([basicAuth](../middlewares/http/basicauth.md) , [digestAuth](../middlewares/http/digestauth.md),
[forwardAuth](../middlewares/http/forwardauth.md)) or [whitelisting](../middlewares/http/ipwhitelist.md).
[forwardAuth](../middlewares/http/forwardauth.md)) or [allowlisting](../middlewares/http/ipallowlist.md).
- A [router rule](#dashboard-router-rule) for accessing the dashboard,
through Traefik itself (sometimes referred as "Traefik-ception").
@ -93,12 +93,12 @@ rule = "Host(`traefik.example.com`)"
```bash tab="Path Prefix Rule"
# The dashboard can be accessed on http://example.com/dashboard/ or http://traefik.example.com/dashboard/
rule = "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
rule = "PathPrefix(`/api`, `/dashboard`)"
```
```bash tab="Combination of Rules"
# The dashboard can be accessed on http://traefik.example.com/dashboard/
rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
rule = "Host(`traefik.example.com`) && PathPrefix(`/api`, `/dashboard`)"
```
??? example "Dashboard Dynamic Configuration Examples"

2
docs/content/providers/file.md
View file

@ -18,7 +18,7 @@ It supports providing configuration through a [single configuration file](#filen
!!! tip
The file provider can be a good solution for reusing common elements from other providers (e.g. declaring whitelist middlewares, basic authentication, ...)
The file provider can be a good solution for reusing common elements from other providers (e.g. declaring allowlist middlewares, basic authentication, ...)
## Configuration Examples

9
docs/content/reference/dynamic-configuration/docker-labels.yml
View file

@ -71,9 +71,9 @@
- "traefik.http.middlewares.middleware10.headers.stsincludesubdomains=true"
- "traefik.http.middlewares.middleware10.headers.stspreload=true"
- "traefik.http.middlewares.middleware10.headers.stsseconds=42"
- "traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.depth=42"
- "traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.excludedips=foobar, foobar"
- "traefik.http.middlewares.middleware11.ipwhitelist.sourcerange=foobar, foobar"
- "traefik.http.middlewares.middleware11.ipallowlist.ipstrategy.depth=42"
- "traefik.http.middlewares.middleware11.ipallowlist.ipstrategy.excludedips=foobar, foobar"
- "traefik.http.middlewares.middleware11.ipallowlist.sourcerange=foobar, foobar"
- "traefik.http.middlewares.middleware12.inflightreq.amount=42"
- "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.depth=42"
- "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
@ -121,6 +121,7 @@
- "traefik.http.middlewares.middleware21.stripprefix.forceslash=true"
- "traefik.http.middlewares.middleware21.stripprefix.prefixes=foobar, foobar"
- "traefik.http.middlewares.middleware22.stripprefixregex.regex=foobar, foobar"
- "traefik.http.middlewares.middleware23.grpcweb.alloworigins=foobar, foobar"
- "traefik.http.routers.router0.entrypoints=foobar, foobar"
- "traefik.http.routers.router0.middlewares=foobar, foobar"
- "traefik.http.routers.router0.priority=42"
@ -166,7 +167,7 @@
- "traefik.http.services.service01.loadbalancer.sticky.cookie.secure=true"
- "traefik.http.services.service01.loadbalancer.server.port=foobar"
- "traefik.http.services.service01.loadbalancer.server.scheme=foobar"
- "traefik.tcp.middlewares.tcpmiddleware00.ipwhitelist.sourcerange=foobar, foobar"
- "traefik.tcp.middlewares.tcpmiddleware00.ipallowlist.sourcerange=foobar, foobar"
- "traefik.tcp.middlewares.tcpmiddleware01.inflightconn.amount=42"
- "traefik.tcp.routers.tcprouter0.entrypoints=foobar, foobar"
- "traefik.tcp.routers.tcprouter0.middlewares=foobar, foobar"

9
docs/content/reference/dynamic-configuration/file.toml
View file

@ -203,9 +203,9 @@
name0 = "foobar"
name1 = "foobar"
[http.middlewares.Middleware11]
[http.middlewares.Middleware11.ipWhiteList]
[http.middlewares.Middleware11.ipAllowList]
sourceRange = ["foobar", "foobar"]
[http.middlewares.Middleware11.ipWhiteList.ipStrategy]
[http.middlewares.Middleware11.ipAllowList.ipStrategy]
depth = 42
excludedIPs = ["foobar", "foobar"]
[http.middlewares.Middleware12]
@ -285,6 +285,9 @@
[http.middlewares.Middleware22]
[http.middlewares.Middleware22.stripPrefixRegex]
regex = ["foobar", "foobar"]
[http.middlewares.Middleware23]
[http.middlewares.Middleware23.grpcWeb]
allowOrigins = ["foobar", "foobar"]
[http.serversTransports]
[http.serversTransports.ServersTransport0]
serverName = "foobar"
@ -402,7 +405,7 @@
weight = 42
[tcp.middlewares]
[tcp.middlewares.TCPMiddleware00]
[tcp.middlewares.TCPMiddleware00.ipWhiteList]
[tcp.middlewares.TCPMiddleware00.ipAllowList]
sourceRange = ["foobar", "foobar"]
[tcp.middlewares.TCPMiddleware01]
[tcp.middlewares.TCPMiddleware01.inFlightConn]

9
docs/content/reference/dynamic-configuration/file.yaml
View file

@ -230,7 +230,7 @@ http:
permissionsPolicy: foobar
isDevelopment: true
Middleware11:
ipWhiteList:
ipAllowList:
sourceRange:
- foobar
- foobar
@ -324,6 +324,11 @@ http:
regex:
- foobar
- foobar
Middleware23:
grpcWeb:
allowOrigins:
- foobar
- foobar
serversTransports:
ServersTransport0:
serverName: foobar
@ -443,7 +448,7 @@ tcp:
weight: 42
middlewares:
TCPMiddleware00:
ipWhiteList:
ipAllowList:
sourceRange:
- foobar
- foobar

27
docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
View file

@ -967,6 +967,17 @@ spec:
forward) all X-Forwarded-* headers.'
type: boolean
type: object
grpcWeb:
description: GrpcWeb holds the gRPC web middleware configuration.
This middleware converts a gRPC web request to an HTTP/2 gRPC request.
properties:
allowOrigins:
description: AllowOrigins is a list of allowable origins. Can
also be a wildcard origin "*".
items:
type: string
type: array
type: object
headers:
description: 'Headers holds the headers middleware configuration.
This middleware manages the requests and responses headers. More
@ -1149,7 +1160,7 @@ spec:
properties:
ipStrategy:
description: 'IPStrategy holds the IP strategy configuration
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy'
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
@ -1174,14 +1185,14 @@ spec:
type: boolean
type: object
type: object
ipWhiteList:
description: 'IPWhiteList holds the IP whitelist middleware configuration.
ipAllowList:
description: 'IPAllowList holds the IP allowlist middleware configuration.
This middleware accepts / refuses requests based on the client IP.
More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/'
More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/'
properties:
ipStrategy:
description: 'IPStrategy holds the IP strategy configuration used
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy'
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
@ -1345,7 +1356,7 @@ spec:
properties:
ipStrategy:
description: 'IPStrategy holds the IP strategy configuration
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy'
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
@ -1541,8 +1552,8 @@ spec:
format: int64
type: integer
type: object
ipWhiteList:
description: IPWhiteList defines the IPWhiteList middleware configuration.
ipAllowList:
description: IPAllowList defines the IPAllowList middleware configuration.
properties:
sourceRange:
description: SourceRange defines the allowed IPs (or ranges of

2
docs/content/reference/dynamic-configuration/kubernetes-crd-resource.yml
View file

@ -148,7 +148,7 @@ spec:
- name: whoamitcp
port: 8080
middlewares:
- name: ipwhitelist
- name: ipallowlist
tls:
secretName: foosecret
passthrough: false

16
docs/content/reference/dynamic-configuration/kv-ref.md
View file

@ -84,11 +84,11 @@
| `traefik/http/middlewares/Middleware10/headers/stsIncludeSubdomains` | `true` |
| `traefik/http/middlewares/Middleware10/headers/stsPreload` | `true` |
| `traefik/http/middlewares/Middleware10/headers/stsSeconds` | `42` |
| `traefik/http/middlewares/Middleware11/ipWhiteList/ipStrategy/depth` | `42` |
| `traefik/http/middlewares/Middleware11/ipWhiteList/ipStrategy/excludedIPs/0` | `foobar` |
| `traefik/http/middlewares/Middleware11/ipWhiteList/ipStrategy/excludedIPs/1` | `foobar` |
| `traefik/http/middlewares/Middleware11/ipWhiteList/sourceRange/0` | `foobar` |
| `traefik/http/middlewares/Middleware11/ipWhiteList/sourceRange/1` | `foobar` |
| `traefik/http/middlewares/Middleware11/ipAllowList/ipStrategy/depth` | `42` |
| `traefik/http/middlewares/Middleware11/ipAllowList/ipStrategy/excludedIPs/0` | `foobar` |
| `traefik/http/middlewares/Middleware11/ipAllowList/ipStrategy/excludedIPs/1` | `foobar` |
| `traefik/http/middlewares/Middleware11/ipAllowList/sourceRange/0` | `foobar` |
| `traefik/http/middlewares/Middleware11/ipAllowList/sourceRange/1` | `foobar` |
| `traefik/http/middlewares/Middleware12/inFlightReq/amount` | `42` |
| `traefik/http/middlewares/Middleware12/inFlightReq/sourceCriterion/ipStrategy/depth` | `42` |
| `traefik/http/middlewares/Middleware12/inFlightReq/sourceCriterion/ipStrategy/excludedIPs/0` | `foobar` |
@ -140,6 +140,8 @@
| `traefik/http/middlewares/Middleware21/stripPrefix/prefixes/1` | `foobar` |
| `traefik/http/middlewares/Middleware22/stripPrefixRegex/regex/0` | `foobar` |
| `traefik/http/middlewares/Middleware22/stripPrefixRegex/regex/1` | `foobar` |
| `traefik/http/middlewares/Middleware23/grpcWeb/allowOrigins/0` | `foobar` |
| `traefik/http/middlewares/Middleware23/grpcWeb/allowOrigins/1` | `foobar` |
| `traefik/http/routers/Router0/entryPoints/0` | `foobar` |
| `traefik/http/routers/Router0/entryPoints/1` | `foobar` |
| `traefik/http/routers/Router0/middlewares/0` | `foobar` |
@ -247,8 +249,8 @@
| `traefik/http/services/Service04/failover/fallback` | `foobar` |
| `traefik/http/services/Service04/failover/healthCheck` | `` |
| `traefik/http/services/Service04/failover/service` | `foobar` |
| `traefik/tcp/middlewares/TCPMiddleware00/ipWhiteList/sourceRange/0` | `foobar` |
| `traefik/tcp/middlewares/TCPMiddleware00/ipWhiteList/sourceRange/1` | `foobar` |
| `traefik/tcp/middlewares/TCPMiddleware00/ipAllowList/sourceRange/0` | `foobar` |
| `traefik/tcp/middlewares/TCPMiddleware00/ipAllowList/sourceRange/1` | `foobar` |
| `traefik/tcp/middlewares/TCPMiddleware01/inFlightConn/amount` | `42` |
| `traefik/tcp/routers/TCPRouter0/entryPoints/0` | `foobar` |
| `traefik/tcp/routers/TCPRouter0/entryPoints/1` | `foobar` |

9
docs/content/reference/dynamic-configuration/marathon-labels.json
View file

@ -71,9 +71,9 @@
"traefik.http.middlewares.middleware10.headers.stsincludesubdomains": "true",
"traefik.http.middlewares.middleware10.headers.stspreload": "true",
"traefik.http.middlewares.middleware10.headers.stsseconds": "42",
"traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.depth": "42",
"traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.excludedips": "foobar, foobar",
"traefik.http.middlewares.middleware11.ipwhitelist.sourcerange": "foobar, foobar",
"traefik.http.middlewares.middleware11.ipallowlist.ipstrategy.depth": "42",
"traefik.http.middlewares.middleware11.ipallowlist.ipstrategy.excludedips": "foobar, foobar",
"traefik.http.middlewares.middleware11.ipallowlist.sourcerange": "foobar, foobar",
"traefik.http.middlewares.middleware12.inflightreq.amount": "42",
"traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.depth": "42",
"traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.excludedips": "foobar, foobar",
@ -121,6 +121,7 @@
"traefik.http.middlewares.middleware21.stripprefix.forceslash": "true",
"traefik.http.middlewares.middleware21.stripprefix.prefixes": "foobar, foobar",
"traefik.http.middlewares.middleware22.stripprefixregex.regex": "foobar, foobar",
"traefik.http.middlewares.middleware23.grpcweb.alloworigins": "foobar, foobar",
"traefik.http.routers.router0.entrypoints": "foobar, foobar",
"traefik.http.routers.router0.middlewares": "foobar, foobar",
"traefik.http.routers.router0.priority": "42",
@ -166,7 +167,7 @@
"traefik.http.services.service01.loadbalancer.sticky.cookie.secure": "true",
"traefik.http.services.service01.loadbalancer.server.port": "foobar",
"traefik.http.services.service01.loadbalancer.server.scheme": "foobar",
"traefik.tcp.middlewares.tcpmiddleware00.ipwhitelist.sourcerange": "foobar, foobar",
"traefik.tcp.middlewares.tcpmiddleware00.ipallowlist.sourcerange": "foobar, foobar",
"traefik.tcp.middlewares.tcpmiddleware01.inflightconn.amount": "42",
"traefik.tcp.routers.tcprouter0.entrypoints": "foobar, foobar",
"traefik.tcp.routers.tcprouter0.middlewares": "foobar, foobar",

23
docs/content/reference/dynamic-configuration/traefik.containo.us_middlewares.yaml
View file

@ -390,6 +390,17 @@ spec:
forward) all X-Forwarded-* headers.'
type: boolean
type: object
grpcWeb:
description: GrpcWeb holds the gRPC web middleware configuration.
This middleware converts a gRPC web request to an HTTP/2 gRPC request.
properties:
allowOrigins:
description: AllowOrigins is a list of allowable origins. Can
also be a wildcard origin "*".
items:
type: string
type: array
type: object
headers:
description: 'Headers holds the headers middleware configuration.
This middleware manages the requests and responses headers. More
@ -572,7 +583,7 @@ spec:
properties:
ipStrategy:
description: 'IPStrategy holds the IP strategy configuration
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy'
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
@ -597,14 +608,14 @@ spec:
type: boolean
type: object
type: object
ipWhiteList:
description: 'IPWhiteList holds the IP whitelist middleware configuration.
ipAllowList:
description: 'IPAllowList holds the IP allowlist middleware configuration.
This middleware accepts / refuses requests based on the client IP.
More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/'
More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/'
properties:
ipStrategy:
description: 'IPStrategy holds the IP strategy configuration used
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy'
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
@ -768,7 +779,7 @@ spec:
properties:
ipStrategy:
description: 'IPStrategy holds the IP strategy configuration
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy'
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For

4
docs/content/reference/dynamic-configuration/traefik.containo.us_middlewaretcps.yaml
View file

@ -47,8 +47,8 @@ spec:
format: int64
type: integer
type: object
ipWhiteList:
description: IPWhiteList defines the IPWhiteList middleware configuration.
ipAllowList:
description: IPAllowList defines the IPAllowList middleware configuration.
properties:
sourceRange:
description: SourceRange defines the allowed IPs (or ranges of

8
docs/content/routing/providers/kubernetes-crd.md
View file

@ -1287,9 +1287,9 @@ Register the `MiddlewareTCP` [kind](../../reference/dynamic-configuration/kubern
apiVersion: traefik.containo.us/v1alpha1
kind: MiddlewareTCP
metadata:
name: ipwhitelist
name: ipallowlist
spec:
ipWhiteList:
ipAllowList:
sourceRange:
- 127.0.0.1/32
- 192.168.1.7
@ -1305,13 +1305,13 @@ Register the `MiddlewareTCP` [kind](../../reference/dynamic-configuration/kubern
entryPoints:
- web
routes:
- match: Host(`example.com`) && PathPrefix(`/whitelist`)
- match: Host(`example.com`) && PathPrefix(`/allowlist`)
kind: Rule
services:
- name: whoami
port: 80
middlewares:
- name: ipwhitelist
- name: ipallowlist
namespace: foo
```

4
docs/content/routing/routers/index.md
View file

@ -986,7 +986,7 @@ The middlewares will take effect only if the rule matches, and before connecting
[tcp.routers.my-router]
rule = "HostSNI(`*`)"
# declared elsewhere
middlewares = ["ipwhitelist"]
middlewares = ["ipallowlist"]
service = "service-foo"
```
@ -998,7 +998,7 @@ The middlewares will take effect only if the rule matches, and before connecting
rule: "HostSNI(`*`)"
# declared elsewhere
middlewares:
- ipwhitelist
- ipallowlist
service: service-foo
```

6
docs/mkdocs.yml
View file

@ -125,8 +125,9 @@ nav:
- 'DigestAuth': 'middlewares/http/digestauth.md'
- 'Errors': 'middlewares/http/errorpages.md'
- 'ForwardAuth': 'middlewares/http/forwardauth.md'
- 'GrpcWeb': 'middlewares/http/grpcweb.md'
- 'Headers': 'middlewares/http/headers.md'
- 'IpWhitelist': 'middlewares/http/ipwhitelist.md'
- 'IpAllowList': 'middlewares/http/ipallowlist.md'
- 'InFlightReq': 'middlewares/http/inflightreq.md'
- 'PassTLSClientCert': 'middlewares/http/passtlsclientcert.md'
- 'RateLimit': 'middlewares/http/ratelimit.md'
@ -140,7 +141,7 @@ nav:
- 'TCP':
- 'Overview': 'middlewares/tcp/overview.md'
- 'InFlightConn': 'middlewares/tcp/inflightconn.md'
- 'IpWhitelist': 'middlewares/tcp/ipwhitelist.md'
- 'IpAllowList': 'middlewares/tcp/ipallowlist.md'
- 'Traefik Hub': 'traefik-hub/index.md'
- 'Plugins & Plugin Catalog': 'plugins/index.md'
- 'Operations':
@ -177,6 +178,7 @@ nav:
- 'HTTP Challenge': 'user-guides/docker-compose/acme-http/index.md'
- 'DNS Challenge': 'user-guides/docker-compose/acme-dns/index.md'
- 'Migration':
- 'Traefik v2 to v3': 'migration/v2-to-v3.md'
- 'Traefik v2 minor migrations': 'migration/v2.md'
- 'Traefik v1 to v2': 'migration/v1-to-v2.md'
- 'Contributing':

13
go.mod
View file

@ -3,7 +3,7 @@ module github.com/traefik/traefik/v2
go 1.19
require (
github.com/BurntSushi/toml v1.2.0
github.com/BurntSushi/toml v1.2.1
github.com/ExpediaDotCom/haystack-client-go v0.0.0-20190315171017-e7edbdf53a61
github.com/Masterminds/sprig/v3 v3.2.2
github.com/abbot/go-http-auth v0.0.0-00010101000000-000000000000
@ -32,6 +32,7 @@ require (
github.com/hashicorp/go-multierror v1.1.1
github.com/hashicorp/go-version v1.6.0
github.com/hashicorp/nomad/api v0.0.0-20220506174431-b5665129cd1f
github.com/improbable-eng/grpc-web v0.15.0
github.com/influxdata/influxdb-client-go/v2 v2.7.0
github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d
github.com/instana/go-sensor v1.38.3
@ -62,7 +63,7 @@ require (
github.com/stvp/go-udp-testing v0.0.0-20191102171040-06b61409b154
github.com/tailscale/tscert v0.0.0-20220316030059-54bbcb9f74e2
github.com/traefik/paerser v0.1.9
github.com/traefik/yaegi v0.14.2
github.com/traefik/yaegi v0.14.3
github.com/uber/jaeger-client-go v2.30.0+incompatible
github.com/uber/jaeger-lib v2.2.0+incompatible
github.com/unrolled/render v1.0.2
@ -143,6 +144,7 @@ require (
github.com/coreos/go-systemd/v22 v22.3.2 // indirect
github.com/cpu/goacmedns v0.1.1 // indirect
github.com/deepmap/oapi-codegen v1.9.1 // indirect
github.com/desertbit/timer v0.0.0-20180107155436-c41aec40b27f // indirect
github.com/dgraph-io/ristretto v0.1.0 // indirect
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
github.com/dimchansky/utfbom v1.1.1 // indirect
@ -190,7 +192,7 @@ require (
github.com/gophercloud/gophercloud v1.0.0 // indirect
github.com/gophercloud/utils v0.0.0-20210216074907-f6de111f2eae // indirect
github.com/gravitational/trace v1.1.16-0.20220114165159-14a9a7dd6aaf // indirect
github.com/grpc-ecosystem/go-grpc-middleware v1.2.0 // indirect
github.com/grpc-ecosystem/go-grpc-middleware v1.2.2 // indirect
github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 // indirect
github.com/hashicorp/consul/sdk v0.10.0 // indirect
github.com/hashicorp/cronexpr v1.1.1 // indirect
@ -281,6 +283,7 @@ require (
github.com/pquerna/otp v1.3.0 // indirect
github.com/prometheus/common v0.35.0 // indirect
github.com/prometheus/procfs v0.7.3 // indirect
github.com/rs/cors v1.7.0 // indirect
github.com/sacloud/api-client-go v0.2.1 // indirect
github.com/sacloud/go-http v0.1.2 // indirect
github.com/sacloud/iaas-api-go v1.3.2 // indirect
@ -343,6 +346,7 @@ require (
howett.net/plist v0.0.0-20181124034731-591f970eefbb // indirect
k8s.io/klog/v2 v2.10.0 // indirect
k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e // indirect
nhooyr.io/websocket v1.8.7 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.1.2 // indirect
sigs.k8s.io/yaml v1.2.0 // indirect
)
@ -358,9 +362,6 @@ replace (
// https://github.com/docker/compose/blob/e44222664abd07ce1d1fe6796d84d93cbc7468c3/go.mod#L131
replace github.com/jaguilar/vt100 => github.com/tonistiigi/vt100 v0.0.0-20190402012908-ad4c4a574305
// https://github.com/BurntSushi/toml/issues/360
replace github.com/BurntSushi/toml v1.2.0 => github.com/BurntSushi/toml v1.1.0
// ambiguous import: found package github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/http in multiple modules
// tencentcloud uses monorepo with multimodule but the go.mod files are incomplete.
exclude github.com/tencentcloud/tencentcloud-sdk-go v3.0.83+incompatible

51
go.sum
View file

@ -112,8 +112,8 @@ github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbt
github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/BurntSushi/toml v1.1.0 h1:ksErzDEI1khOiGPgpwuI7x2ebx/uXQNw7xJpn9Eq1+I=
github.com/BurntSushi/toml v1.1.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak=
github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
github.com/DataDog/datadog-agent/pkg/obfuscate v0.0.0-20211129110424-6491aa3bf583 h1:3nVO1nQyh64IUY6BPZUpMYMZ738Pu+LsMt3E0eqqIYw=
github.com/DataDog/datadog-agent/pkg/obfuscate v0.0.0-20211129110424-6491aa3bf583/go.mod h1:EP9f4GqaDJyP1F5jTNMtzdIpw3JpNs3rMSJOnYywCiw=
@ -522,6 +522,8 @@ github.com/denisenkom/go-mssqldb v0.0.0-20200428022330-06a60b6afbbc/go.mod h1:xb
github.com/denisenkom/go-mssqldb v0.11.0/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU=
github.com/denverdino/aliyungo v0.0.0-20170926055100-d3308649c661/go.mod h1:dV8lFg6daOBZbT6/BDGIz6Y3WFGn8juu6G+CQ6LHtl0=
github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba/go.mod h1:dV8lFg6daOBZbT6/BDGIz6Y3WFGn8juu6G+CQ6LHtl0=
github.com/desertbit/timer v0.0.0-20180107155436-c41aec40b27f h1:U5y3Y5UE0w7amNe7Z5G/twsBW0KEalRQXZzf8ufSh9I=
github.com/desertbit/timer v0.0.0-20180107155436-c41aec40b27f/go.mod h1:xH/i4TFMt8koVQZ6WFms69WAsDWr2XsYL3Hkl7jkoLE=
github.com/dgraph-io/ristretto v0.1.0 h1:Jv3CGQHp9OjuMBSne1485aDpUkTKEcUqF+jm/LuerPI=
github.com/dgraph-io/ristretto v0.1.0/go.mod h1:fux0lOrBhrVCJd3lcTHsIJhq1T2rokOu6v9Vcb3Q9ug=
github.com/dgrijalva/jwt-go v0.0.0-20170104182250-a601269ab70c/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
@ -681,8 +683,11 @@ github.com/getsentry/raven-go v0.0.0-20180121060056-563b81fc02b7/go.mod h1:KungG
github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE=
github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
github.com/gin-gonic/gin v1.6.3/go.mod h1:75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwvtwp4M=
github.com/gin-gonic/gin v1.7.0/go.mod h1:jD2toBW3GZUr5UMcdrwQA10I7RuaFOl/SGeDjXkfUtY=
github.com/gin-gonic/gin v1.7.4 h1:QmUZXrvJ9qZ3GfWvQ+2wnW/1ePrTEJqPKMYEU3lD/DM=
github.com/gin-gonic/gin v1.7.4/go.mod h1:jD2toBW3GZUr5UMcdrwQA10I7RuaFOl/SGeDjXkfUtY=
github.com/gliderlabs/ssh v0.1.1/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
@ -700,6 +705,7 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2
github.com/go-ini/ini v1.25.4/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-kit/kit v0.10.0/go.mod h1:xUsJbQ/Fp4kEt7AFgCuvyX4a71u8h9jB8tj/ORgOZ7o=
github.com/go-kit/kit v0.10.1-0.20200915143503-439c4d2ed3ea h1:CnEQOUv4ilElSwFB9g/lVmz206oLE4aNZDYngIY1Gvg=
github.com/go-kit/kit v0.10.1-0.20200915143503-439c4d2ed3ea/go.mod h1:xUsJbQ/Fp4kEt7AFgCuvyX4a71u8h9jB8tj/ORgOZ7o=
github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
@ -735,11 +741,15 @@ github.com/go-pg/pg/v10 v10.0.0/go.mod h1:XHU1AkQW534GFuUdSiQ46+Xw6Ah+9+b8DlT4Yw
github.com/go-pg/zerochecker v0.2.0/go.mod h1:NJZ4wKL0NmTtz0GKCoJ8kym6Xn/EQzXRl2OnAe7MmDo=
github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8=
github.com/go-playground/locales v0.14.0 h1:u50s323jtVGugKlcYeyzC0etD1HifMjqmJqb8WugfUU=
github.com/go-playground/locales v0.14.0/go.mod h1:sawfccIbzZTqEDETgFXqTho0QybSa7l++s0DH+LDiLs=
github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA=
github.com/go-playground/universal-translator v0.18.0 h1:82dyy6p4OuJq4/CByFNOn/jYrnRPArHwAcmLoJZxyho=
github.com/go-playground/universal-translator v0.18.0/go.mod h1:UvRDBj+xPUEGrFYl+lu/H90nyDXpg0fqeB/AQUGNTVA=
github.com/go-playground/validator/v10 v10.2.0/go.mod h1:uOYAAleCW8F/7oMFd6aG0GOhaH6EGOAJShg8Id5JGkI=
github.com/go-playground/validator/v10 v10.4.1/go.mod h1:nlOn6nFhuKACm19sB/8EGNn9GlaMV7XkbRSipzJ0Ii4=
github.com/go-playground/validator/v10 v10.9.0/go.mod h1:74x4gJWsvQexRdW8Pn3dXSGrTK4nAUsbPlLADvpJkos=
github.com/go-playground/validator/v10 v10.11.0 h1:0W+xRM511GY47Yy3bZUbJVitCNg2BOGlCyvTqsp/xIw=
github.com/go-redis/redis v6.15.9+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA=
github.com/go-redis/redis/v7 v7.1.0/go.mod h1:JDNMw23GTyLNC4GZu9njt15ctBQVn7xjRfnwdHj/Dcg=
github.com/go-redis/redis/v8 v8.0.0/go.mod h1:isLoQT/NFSP7V67lyvM9GmdvLdyZ7pEhsXvvyQtnQTo=
@ -788,6 +798,12 @@ github.com/gobuffalo/packd v0.1.0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWe
github.com/gobuffalo/packr/v2 v2.0.9/go.mod h1:emmyGweYTm6Kdper+iywB6YK5YzuKchGtJQZ0Odn4pQ=
github.com/gobuffalo/packr/v2 v2.2.0/go.mod h1:CaAwI0GPIAv+5wKLtv8Afwl+Cm78K/I/VCm/3ptBN+0=
github.com/gobuffalo/syncx v0.0.0-20190224160051-33c29581e754/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw=
github.com/gobwas/httphead v0.0.0-20180130184737-2c6c146eadee h1:s+21KNqlpePfkah2I+gwHF8xmJWRjooY+5248k6m4A0=
github.com/gobwas/httphead v0.0.0-20180130184737-2c6c146eadee/go.mod h1:L0fX3K22YWvt/FAX9NnzrNzcI4wNYi9Yku4O0LKYflo=
github.com/gobwas/pool v0.2.0 h1:QEmUOlnSjWtnpRGHF3SauEiOsy82Cup83Vf2LcMlnc8=
github.com/gobwas/pool v0.2.0/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
github.com/gobwas/ws v1.0.2 h1:CoAavW/wd/kulfZmSIBt6p24n4j7tHgNVCjsfHVNUbo=
github.com/gobwas/ws v1.0.2/go.mod h1:szmBTxLgaFppYjEmNtny/v3w89xOydFnnZMcgRRu/EM=
github.com/goccy/go-json v0.7.8/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
github.com/gocql/gocql v0.0.0-20220224095938-0eacd3183625/go.mod h1:3gM2c4D3AnkISwBxGnMMsS8Oy4y2lhbPRsH4xnJrHG8=
github.com/godbus/dbus v0.0.0-20151105175453-c7fdd8b5cd55/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw=
@ -962,6 +978,7 @@ github.com/gorilla/handlers v0.0.0-20150720190736-60c7bfde3e33/go.mod h1:Qkdc/uu
github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q=
github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
@ -973,8 +990,9 @@ github.com/gregjones/httpcache v0.0.0-20170728041850-787624de3eb7/go.mod h1:Fecb
github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
github.com/grpc-ecosystem/go-grpc-middleware v1.2.0 h1:0IKlLyQ3Hs9nDaiK5cSHAGmcQEIC8l2Ts1u6x5Dfrqg=
github.com/grpc-ecosystem/go-grpc-middleware v1.2.0/go.mod h1:mJzapYve32yjrKlk9GbyCZHuPgZsrbyIbyKhSzOpg6s=
github.com/grpc-ecosystem/go-grpc-middleware v1.2.2 h1:FlFbCRLd5Jr4iYXZufAvgWN6Ao0JrI5chLINnUXDDr0=
github.com/grpc-ecosystem/go-grpc-middleware v1.2.2/go.mod h1:EaizFBKfUKtMIF5iaDEhniwNedqGo9FuLFzppDr3uwI=
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
github.com/grpc-ecosystem/grpc-gateway v1.5.0/go.mod h1:RSKVYQBd5MCa4OVpNdGskqpgL2+G+NZTnrVHpWWfpdw=
github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
@ -1128,6 +1146,8 @@ github.com/imdario/mergo v0.3.10/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH
github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU=
github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
github.com/improbable-eng/grpc-web v0.15.0 h1:BN+7z6uNXZ1tQGcNAuaU1YjsLTApzkjt2tzCixLaUPQ=
github.com/improbable-eng/grpc-web v0.15.0/go.mod h1:1sy9HKV4Jt9aEs9JSnkWlRJPuPtwNr0l57L4f878wP8=
github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
github.com/influxdata/influxdb-client-go/v2 v2.7.0 h1:QgP5mlBE9sGnzplpnf96pr+p7uqlIlL4W2GAP3n+XZg=
@ -1278,7 +1298,9 @@ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+o
github.com/kisielk/sqlstruct v0.0.0-20150923205031-648daed35d49/go.mod h1:yyMNCyc/Ib3bDTKd379tNMpB/7/H5TjM2Y9QJ5THLbE=
github.com/kisom/goutils v1.1.0/go.mod h1:+UBTfd78habUYWFbNWTJNG+jNG/i/lGURakr4A/yNRw=
github.com/klauspost/compress v1.9.5/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
github.com/klauspost/compress v1.10.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
github.com/klauspost/compress v1.11.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
github.com/klauspost/compress v1.11.7/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
github.com/klauspost/compress v1.11.13/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
github.com/klauspost/compress v1.12.2/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
github.com/klauspost/compress v1.13.4/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
@ -1328,6 +1350,7 @@ github.com/labstack/echo/v4 v4.6.3/go.mod h1:Hk5OiHj0kDqmFq7aHe7eDqI7CUhuCrfpupQ
github.com/labstack/gommon v0.3.0/go.mod h1:MULnywXg0yavhxWKc+lOruYdAhDwPK9wf0OL7NoOu+k=
github.com/labstack/gommon v0.3.1/go.mod h1:uW6kP17uPlLJsD3ijUYn3/M5bAxtlZhMI6m3MFxTMTM=
github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII=
github.com/leodido/go-urn v1.2.1 h1:BqpAaACuzVSgi/VLzGZIobT2z4v53pjosyNd9Yv6n/w=
github.com/leodido/go-urn v1.2.1/go.mod h1:zt4jvISO2HfUBqxjfIshjdMTYS56ZS/qv49ictyFfxY=
github.com/lestrrat-go/backoff/v2 v2.0.8/go.mod h1:rHP/q/r9aT27n24JQLa7JhSQZCKBBOiM/uP402WwN8Y=
github.com/lestrrat-go/blackmagic v1.0.0/go.mod h1:TNgH//0vYSs8VXDCfkZLgIrVTTXQELZffUV0tz3MtdQ=
@ -1522,7 +1545,9 @@ github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2
github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f h1:KUppIJq7/+SVif2QVs3tOP0zanoHgBEVAwHxUSIzRqU=
github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
github.com/mwitkow/grpc-proxy v0.0.0-20181017164139-0f1106ef9c76/go.mod h1:x5OoJHDHqxHS801UIuhqGl6QdSAEJvtausosHSdazIo=
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
github.com/namedotcom/go v0.0.0-20180403034216-08470befbe04 h1:o6uBwrhM5C8Ll3MAAxrQxRHEu7FkapwTuI2WmL1rw4g=
github.com/namedotcom/go v0.0.0-20180403034216-08470befbe04/go.mod h1:5sN+Lt1CaY4wsPvgQH/jsuJi4XO2ssZbdsIizr4CVC8=
@ -1730,6 +1755,7 @@ github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+
github.com/prometheus/common v0.7.0/go.mod h1:DjGbpBbp5NYNiECxcL/VnbXCCaQpKd3tt26CguLLsqA=
github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4=
github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
github.com/prometheus/common v0.15.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16Clt/msog/s=
github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
github.com/prometheus/common v0.35.0 h1:Eyr+Pw2VymWejHqCugNaQXkAi6KayVNxaHeu6khmFBE=
@ -1748,6 +1774,7 @@ github.com/prometheus/procfs v0.0.5/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDa
github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A=
github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
github.com/prometheus/procfs v0.2.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
github.com/prometheus/procfs v0.3.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
github.com/prometheus/procfs v0.7.3 h1:4jVXhlkAyzOScmCkXBTOLRLTz8EeU+eyjrwB/EPq0VU=
github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
@ -1769,6 +1796,8 @@ github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR
github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
github.com/rogpeppe/go-internal v1.8.1 h1:geMPLpDpQOgVyCg5z5GoRwLHepNdb71NXb67XFkP+Eg=
github.com/rs/cors v1.7.0 h1:+88SsELBHx5r+hZ8TCkggzSstaWNbDvThkVK8H6f9ik=
github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU=
github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
github.com/rs/zerolog v1.4.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU=
github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU=
@ -1968,8 +1997,8 @@ github.com/tonistiigi/vt100 v0.0.0-20190402012908-ad4c4a574305 h1:y/1cL5AL2oRcfz
github.com/tonistiigi/vt100 v0.0.0-20190402012908-ad4c4a574305/go.mod h1:gXOLibKqQTRAVuVZ9gX7G9Ykky8ll8yb4slxsEMoY0c=
github.com/traefik/paerser v0.1.9 h1:x5hZafOt/yogLvr6upoSOYIAn2nh2GsnLb236MOzd4I=
github.com/traefik/paerser v0.1.9/go.mod h1:Dk3Bfz6Zyj13/S8pJyRdx/FNvXlsVRVbtp0UK4ZSiA0=
github.com/traefik/yaegi v0.14.2 h1:9t9xepIfar6BrYdwJHGc+XRKo6qFoJCl6Z46N3hUtUw=
github.com/traefik/yaegi v0.14.2/go.mod h1:AVRxhaI2G+nUsaM1zyktzwXn69G3t/AuTDrCiTds9p0=
github.com/traefik/yaegi v0.14.3 h1:LqA0k8DKwvRMc+msfQjNusphHJc+r6WC5tZU5TmUFOM=
github.com/traefik/yaegi v0.14.3/go.mod h1:AVRxhaI2G+nUsaM1zyktzwXn69G3t/AuTDrCiTds9p0=
github.com/transip/gotransip/v6 v6.17.0 h1:2RCyqYqz5+Ej8z96EyE4sf6tQrrfEBaFDO0LliSl6+8=
github.com/transip/gotransip/v6 v6.17.0/go.mod h1:pQZ36hWWRahCUXkFWlx9Hs711gLd8J4qdgLdRzmtY+g=
github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926 h1:G3dpKMzFDjgEh2q1Z7zUUtKa8ViPtH+ocF0bE0g00O8=
@ -1982,9 +2011,11 @@ github.com/uber/jaeger-lib v2.2.0+incompatible h1:MxZXOiR2JuoANZ3J6DE/U0kSFv/eJ/
github.com/uber/jaeger-lib v2.2.0+incompatible/go.mod h1:ComeNDZlWwrWnDv8aPp0Ba6+uUTzImX/AauajbLI56U=
github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw=
github.com/ugorji/go v1.2.6 h1:tGiWC9HENWE2tqYycIqFTNorMmFRVhNwCpDOpWqnk8E=
github.com/ugorji/go v1.2.6/go.mod h1:anCg0y61KIhDlPZmnH+so+RQbysYVyDko0IMgJv0Nn0=
github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLYF3GoBXY=
github.com/ugorji/go/codec v1.2.6 h1:7kbGefxLoDBuYXOms4yD7223OpNMMPNPZxXk5TvFcyQ=
github.com/ugorji/go/codec v1.2.6/go.mod h1:V6TCNZ4PHqoHGFZuSG1W8nrCzzdgA2DozYxWFFpvxTw=
github.com/unrolled/render v1.0.2 h1:dGS3EmChQP3yOi1YeFNO/Dx+MbWZhdvhQJTXochM5bs=
github.com/unrolled/render v1.0.2/go.mod h1:gN9T0NhL4Bfbwu8ann7Ry/TGHYfosul+J0obPf6NBdM=
@ -2208,6 +2239,7 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
golang.org/x/exp v0.0.0-20200331195152-e8c3332aa8e5/go.mod h1:4M0jN8W1tt0AVLNr8HDosyJCDCDuyL9N9+3m7wDWgKw=
golang.org/x/exp v0.0.0-20200901203048-c4f52b2c50aa/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
golang.org/x/exp v0.0.0-20200908183739-ae8ad444f925 h1:5XVKs2rlCg8EFyRcvO8/XFwYxh1oKJO1Q3X5vttIf9c=
golang.org/x/exp v0.0.0-20200908183739-ae8ad444f925/go.mod h1:1phAWC201xIgDyaFpmDeZkgf70Q4Pd/CNqfRtVPtxNw=
@ -2280,6 +2312,7 @@ golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLL
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
golang.org/x/net v0.0.0-20200421231249-e086a090c8fd/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
@ -2307,6 +2340,7 @@ golang.org/x/net v0.0.0-20210510120150-4163338589ed/go.mod h1:9nx3DQGgdP8bBQD5qx
golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20210913180222-943fd674d43e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20211020060615-d418f374d309/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
@ -2420,6 +2454,7 @@ golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200420163511-1957bb5e6d1f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@ -2470,6 +2505,7 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20211103235746-7861aae1554b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@ -2676,6 +2712,7 @@ google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfG
google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
google.golang.org/genproto v0.0.0-20200423170343-7949de9c1215/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
@ -2695,6 +2732,7 @@ google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a/go.mod h1:FWY/as6D
google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
google.golang.org/genproto v0.0.0-20210126160654-44e461bb6506/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
@ -2939,6 +2977,9 @@ launchpad.net/gocheck v0.0.0-20140225173054-000000000087/go.mod h1:hj7XX3B/0A+80
mellium.im/sasl v0.2.1/go.mod h1:ROaEDLQNuf9vjKqE1SrAfnsobm2YKXT1gnN1uDp1PjQ=
mvdan.cc/xurls/v2 v2.1.0 h1:KaMb5GLhlcSX+e+qhbRJODnUUBvlw01jt4yrjFIHAuA=
mvdan.cc/xurls/v2 v2.1.0/go.mod h1:5GrSd9rOnKOpZaji1OZLYL/yeAAtGDlo/cFe+8K5n8E=
nhooyr.io/websocket v1.8.6/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0=
nhooyr.io/websocket v1.8.7 h1:usjR2uOr/zjjkVMy0lW+PPohFok7PCow5sDjLgX4P4g=
nhooyr.io/websocket v1.8.7/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0=
rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=
rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=

8
integration/access_log_test.go
View file

@ -435,7 +435,7 @@ func (s *AccessLogSuite) TestAccessLogBackendNotFound(c *check.C) {
checkNoOtherTraefikProblems(c)
}
func (s *AccessLogSuite) TestAccessLogFrontendWhitelist(c *check.C) {
func (s *AccessLogSuite) TestAccessLogFrontendAllowlist(c *check.C) {
ensureWorkingDirectoryIsClean()
expected := []accessLogValue{
@ -443,7 +443,7 @@ func (s *AccessLogSuite) TestAccessLogFrontendWhitelist(c *check.C) {
formatOnly: false,
code: "403",
user: "-",
routerName: "rt-frontendWhitelist",
routerName: "rt-frontendAllowlist",
serviceURL: "-",
},
}
@ -458,7 +458,7 @@ func (s *AccessLogSuite) TestAccessLogFrontendWhitelist(c *check.C) {
checkStatsForLogFile(c)
waitForTraefik(c, "frontendWhitelist")
waitForTraefik(c, "frontendAllowlist")
// Verify Traefik started OK
checkTraefikStarted(c)
@ -466,7 +466,7 @@ func (s *AccessLogSuite) TestAccessLogFrontendWhitelist(c *check.C) {
// Test rate limit
req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
c.Assert(err, checker.IsNil)
req.Host = "frontend.whitelist.docker.local"
req.Host = "frontend.allowlist.docker.local"
err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusForbidden), try.HasBody())
c.Assert(err, checker.IsNil)

27
integration/fixtures/k8s/01-traefik-crd.yml
View file

@ -967,6 +967,17 @@ spec:
forward) all X-Forwarded-* headers.'
type: boolean
type: object
grpcWeb:
description: GrpcWeb holds the gRPC web middleware configuration.
This middleware converts a gRPC web request to an HTTP/2 gRPC request.
properties:
allowOrigins:
description: AllowOrigins is a list of allowable origins. Can
also be a wildcard origin "*".
items:
type: string
type: array
type: object
headers:
description: 'Headers holds the headers middleware configuration.
This middleware manages the requests and responses headers. More
@ -1149,7 +1160,7 @@ spec:
properties:
ipStrategy:
description: 'IPStrategy holds the IP strategy configuration
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy'
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
@ -1174,14 +1185,14 @@ spec:
type: boolean
type: object
type: object
ipWhiteList:
description: 'IPWhiteList holds the IP whitelist middleware configuration.
ipAllowList:
description: 'IPAllowList holds the IP allowlist middleware configuration.
This middleware accepts / refuses requests based on the client IP.
More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/'
More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/'
properties:
ipStrategy:
description: 'IPStrategy holds the IP strategy configuration used
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy'
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
@ -1345,7 +1356,7 @@ spec:
properties:
ipStrategy:
description: 'IPStrategy holds the IP strategy configuration
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy'
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
@ -1541,8 +1552,8 @@ spec:
format: int64
type: integer
type: object
ipWhiteList:
description: IPWhiteList defines the IPWhiteList middleware configuration.
ipAllowList:
description: IPAllowList defines the IPAllowList middleware configuration.
properties:
sourceRange:
description: SourceRange defines the allowed IPs (or ranges of

0
integration/fixtures/simple_whitelist.toml → integration/fixtures/simple_allowlist.toml
View file

66
integration/fixtures/simple_metrics_with_buffer_middleware.toml Normal file
View file

@ -0,0 +1,66 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
[entryPoints]
[entryPoints.webA]
address = ":8001"
[entryPoints.webB]
address = ":8002"
[entryPoints.webC]
address = ":8003"
[api]
insecure = true
[metrics]
[metrics.prometheus]
buckets = "0.1,0.3,1.2,5.0"
[providers]
[providers.file]
filename = "{{ .SelfFilename }}"
## dynamic configuration ##
[http.routers]
[http.routers.router-without]
entrypoints = ["webA"]
service = "service-without"
rule = "PathPrefix(`/without`)"
[http.routers.router-req]
entrypoints = ["webB"]
service = "service-req"
rule = "PathPrefix(`/with-req`)"
middlewares = ["buffer-req"]
[http.routers.router-resp]
entrypoints = ["webC"]
service = "service-resp"
rule = "PathPrefix(`/with-resp`)"
middlewares = ["buffer-resp"]
[http.middlewares]
[http.middlewares.buffer-req.buffering]
maxRequestBodyBytes = 10
[http.middlewares.buffer-resp.buffering]
maxResponseBodyBytes = 10
[http.services]
[http.services.service-without.loadBalancer]
[[http.services.service-without.loadBalancer.servers]]
url = "http://{{ .IP }}"
[http.services.service-req.loadBalancer]
[[http.services.service-req.loadBalancer.servers]]
url = "http://{{ .IP }}"
[http.services.service-resp.loadBalancer]
[[http.services.service-resp.loadBalancer.servers]]
url = "http://{{ .IP }}"

8
integration/fixtures/tcp/ip-whitelist.toml → integration/fixtures/tcp/ipallowlist.toml
View file

@ -23,7 +23,7 @@
entryPoints = ["tcp"]
rule = "HostSNI(`whoami-a.test`)"
service = "whoami-a"
middlewares = ["blocking-ipwhitelist"]
middlewares = ["blocking-ipallowlist"]
[tcp.routers.to-whoami-a.tls]
passthrough = true
@ -31,7 +31,7 @@
entryPoints = ["tcp"]
rule = "HostSNI(`whoami-b.test`)"
service = "whoami-b"
middlewares = ["allowing-ipwhitelist"]
middlewares = ["allowing-ipallowlist"]
[tcp.routers.to-whoami-b.tls]
passthrough = true
@ -45,7 +45,7 @@
address = "{{ .WhoamiB }}"
[tcp.middlewares]
[tcp.middlewares.allowing-ipwhitelist.ipWhiteList]
[tcp.middlewares.allowing-ipallowlist.ipAllowList]
sourceRange = ["127.0.0.1/32"]
[tcp.middlewares.blocking-ipwhitelist.ipWhiteList]
[tcp.middlewares.blocking-ipallowlist.ipAllowList]
sourceRange = ["127.127.127.127/32"]

10
integration/resources/compose/access_log.yml
View file

@ -75,14 +75,14 @@ services:
traefik.http.middlewares.rate.ratelimit.burst: 2
traefik.http.services.service3.loadbalancer.server.port: 80
frontendWhitelist:
frontendAllowlist:
image: traefik/whoami
labels:
traefik.enable: true
traefik.http.routers.rt-frontendWhitelist.entryPoints: web
traefik.http.routers.rt-frontendWhitelist.rule: Host(`frontend.whitelist.docker.local`)
traefik.http.routers.rt-frontendWhitelist.middlewares: wl
traefik.http.middlewares.wl.ipwhitelist.sourcerange: 8.8.8.8/32
traefik.http.routers.rt-frontendAllowlist.entryPoints: web
traefik.http.routers.rt-frontendAllowlist.rule: Host(`frontend.allowlist.docker.local`)
traefik.http.routers.rt-frontendAllowlist.middlewares: wl
traefik.http.middlewares.wl.ipallowlist.sourcerange: 8.8.8.8/32
traefik.http.services.service3.loadbalancer.server.port: 80
networks:

41
integration/resources/compose/allowlist.yml Normal file
View file

@ -0,0 +1,41 @@
version: "3.8"
services:
noOverrideAllowlist:
image: traefik/whoami
labels:
traefik.enable: true
traefik.http.routers.rt1.rule: Host(`no.override.allowlist.docker.local`)
traefik.http.routers.rt1.middlewares: wl1
traefik.http.middlewares.wl1.ipallowList.sourceRange: 8.8.8.8
overrideIPStrategyRemoteAddrAllowlist:
image: traefik/whoami
labels:
traefik.enable: true
traefik.http.routers.rt2.rule: Host(`override.remoteaddr.allowlist.docker.local`)
traefik.http.routers.rt2.middlewares: wl2
traefik.http.middlewares.wl2.ipallowlist.sourceRange: 8.8.8.8
traefik.http.middlewares.wl2.ipallowlist.ipStrategy: true
overrideIPStrategyDepthAllowlist:
image: traefik/whoami
labels:
traefik.enable: true
traefik.http.routers.rt3.rule: Host(`override.depth.allowlist.docker.local`)
traefik.http.routers.rt3.middlewares: wl3
traefik.http.middlewares.wl3.ipallowlist.sourceRange: 8.8.8.8
traefik.http.middlewares.wl3.ipallowlist.ipStrategy.depth: 3
overrideIPStrategyExcludedIPsAllowlist:
image: traefik/whoami
labels:
traefik.enable: true
traefik.http.routers.rt4.rule: Host(`override.excludedips.allowlist.docker.local`)
traefik.http.routers.rt4.middlewares: wl4
traefik.http.middlewares.wl4.ipallowlist.sourceRange: 8.8.8.8
traefik.http.middlewares.wl4.ipallowlist.ipStrategy.excludedIPs: 10.0.0.1,10.0.0.2
networks:
default:
name: traefik-test-network
external: true

41
integration/resources/compose/whitelist.yml
View file

@ -1,41 +0,0 @@
version: "3.8"
services:
noOverrideWhitelist:
image: traefik/whoami
labels:
traefik.enable: true
traefik.http.routers.rt1.rule: Host(`no.override.whitelist.docker.local`)
traefik.http.routers.rt1.middlewares: wl1
traefik.http.middlewares.wl1.ipwhiteList.sourceRange: 8.8.8.8
overrideIPStrategyRemoteAddrWhitelist:
image: traefik/whoami
labels:
traefik.enable: true
traefik.http.routers.rt2.rule: Host(`override.remoteaddr.whitelist.docker.local`)
traefik.http.routers.rt2.middlewares: wl2
traefik.http.middlewares.wl2.ipwhitelist.sourceRange: 8.8.8.8
traefik.http.middlewares.wl2.ipwhitelist.ipStrategy: true
overrideIPStrategyDepthWhitelist:
image: traefik/whoami
labels:
traefik.enable: true
traefik.http.routers.rt3.rule: Host(`override.depth.whitelist.docker.local`)
traefik.http.routers.rt3.middlewares: wl3
traefik.http.middlewares.wl3.ipwhitelist.sourceRange: 8.8.8.8
traefik.http.middlewares.wl3.ipwhitelist.ipStrategy.depth: 3
overrideIPStrategyExcludedIPsWhitelist:
image: traefik/whoami
labels:
traefik.enable: true
traefik.http.routers.rt4.rule: Host(`override.excludedips.whitelist.docker.local`)
traefik.http.routers.rt4.middlewares: wl4
traefik.http.middlewares.wl4.ipwhitelist.sourceRange: 8.8.8.8
traefik.http.middlewares.wl4.ipwhitelist.ipStrategy.excludedIPs: 10.0.0.1,10.0.0.2
networks:
default:
name: traefik-test-network
external: true

106
integration/simple_test.go
View file

@ -308,7 +308,7 @@ func (s *SimpleSuite) TestMetricsPrometheusDefaultEntryPoint(c *check.C) {
c.Assert(err, checker.IsNil)
defer s.killCmd(cmd)
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("PathPrefix"))
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("PathPrefix(`/whoami`)"))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8000/whoami", 1*time.Second, try.StatusCodeIs(http.StatusOK))
@ -369,6 +369,84 @@ func (s *SimpleSuite) TestMetricsPrometheusTwoRoutersOneService(c *check.C) {
}
}
// TestMetricsWithBufferingMiddleware checks that the buffering middleware
// (which introduces its own response writer in the chain), does not interfere with
// the capture middleware on which the metrics mechanism relies.
func (s *SimpleSuite) TestMetricsWithBufferingMiddleware(c *check.C) {
s.createComposeProject(c, "base")
s.composeUp(c)
defer s.composeDown(c)
server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
_, _ = w.Write([]byte("MORE THAN TEN BYTES IN RESPONSE"))
}))
server.Start()
defer server.Close()
file := s.adaptFile(c, "fixtures/simple_metrics_with_buffer_middleware.toml", struct{ IP string }{IP: strings.TrimPrefix(server.URL, "http://")})
defer os.Remove(file)
cmd, output := s.traefikCmd(withConfigFile(file))
defer output(c)
err := cmd.Start()
c.Assert(err, checker.IsNil)
defer s.killCmd(cmd)
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("PathPrefix(`/without`)"))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8001/without", 1*time.Second, try.StatusCodeIs(http.StatusOK))
c.Assert(err, checker.IsNil)
req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8002/with-req", strings.NewReader("MORE THAN TEN BYTES IN REQUEST"))
c.Assert(err, checker.IsNil)
// The request should fail because the body is too large.
err = try.Request(req, 1*time.Second, try.StatusCodeIs(http.StatusRequestEntityTooLarge))
c.Assert(err, checker.IsNil)
// The request should fail because the response exceeds the configured limit.
err = try.GetRequest("http://127.0.0.1:8003/with-resp", 1*time.Second, try.StatusCodeIs(http.StatusInternalServerError))
c.Assert(err, checker.IsNil)
request, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8080/metrics", nil)
c.Assert(err, checker.IsNil)
response, err := http.DefaultClient.Do(request)
c.Assert(err, checker.IsNil)
c.Assert(response.StatusCode, checker.Equals, http.StatusOK)
body, err := io.ReadAll(response.Body)
c.Assert(err, checker.IsNil)
// For allowed requests and responses, the entrypoint and service metrics have the same status code.
c.Assert(string(body), checker.Contains, "traefik_entrypoint_requests_total{code=\"200\",entrypoint=\"webA\",method=\"GET\",protocol=\"http\"} 1")
c.Assert(string(body), checker.Contains, "traefik_entrypoint_requests_bytes_total{code=\"200\",entrypoint=\"webA\",method=\"GET\",protocol=\"http\"} 0")
c.Assert(string(body), checker.Contains, "traefik_entrypoint_responses_bytes_total{code=\"200\",entrypoint=\"webA\",method=\"GET\",protocol=\"http\"} 31")
c.Assert(string(body), checker.Contains, "traefik_service_requests_total{code=\"200\",method=\"GET\",protocol=\"http\",service=\"service-without@file\"} 1")
c.Assert(string(body), checker.Contains, "traefik_service_requests_bytes_total{code=\"200\",method=\"GET\",protocol=\"http\",service=\"service-without@file\"} 0")
c.Assert(string(body), checker.Contains, "traefik_service_responses_bytes_total{code=\"200\",method=\"GET\",protocol=\"http\",service=\"service-without@file\"} 31")
// For forbidden requests, the entrypoints have metrics, the services don't.
c.Assert(string(body), checker.Contains, "traefik_entrypoint_requests_total{code=\"413\",entrypoint=\"webB\",method=\"GET\",protocol=\"http\"} 1")
c.Assert(string(body), checker.Contains, "traefik_entrypoint_requests_bytes_total{code=\"413\",entrypoint=\"webB\",method=\"GET\",protocol=\"http\"} 0")
c.Assert(string(body), checker.Contains, "traefik_entrypoint_responses_bytes_total{code=\"413\",entrypoint=\"webB\",method=\"GET\",protocol=\"http\"} 24")
// For disallowed responses, the entrypoint and service metrics don't have the same status code.
c.Assert(string(body), checker.Contains, "traefik_entrypoint_requests_bytes_total{code=\"500\",entrypoint=\"webC\",method=\"GET\",protocol=\"http\"} 0")
c.Assert(string(body), checker.Contains, "traefik_entrypoint_requests_total{code=\"500\",entrypoint=\"webC\",method=\"GET\",protocol=\"http\"} 1")
c.Assert(string(body), checker.Contains, "traefik_entrypoint_responses_bytes_total{code=\"500\",entrypoint=\"webC\",method=\"GET\",protocol=\"http\"} 21")
c.Assert(string(body), checker.Contains, "traefik_service_requests_bytes_total{code=\"200\",method=\"GET\",protocol=\"http\",service=\"service-resp@file\"} 0")
c.Assert(string(body), checker.Contains, "traefik_service_requests_total{code=\"200\",method=\"GET\",protocol=\"http\",service=\"service-resp@file\"} 1")
c.Assert(string(body), checker.Contains, "traefik_service_responses_bytes_total{code=\"200\",method=\"GET\",protocol=\"http\",service=\"service-resp@file\"} 31")
}
func (s *SimpleSuite) TestMultipleProviderSameBackendName(c *check.C) {
s.createComposeProject(c, "base")
@ -397,13 +475,13 @@ func (s *SimpleSuite) TestMultipleProviderSameBackendName(c *check.C) {
c.Assert(err, checker.IsNil)
}
func (s *SimpleSuite) TestIPStrategyWhitelist(c *check.C) {
s.createComposeProject(c, "whitelist")
func (s *SimpleSuite) TestIPStrategyAllowlist(c *check.C) {
s.createComposeProject(c, "allowlist")
s.composeUp(c)
defer s.composeDown(c)
cmd, output := s.traefikCmd(withConfigFile("fixtures/simple_whitelist.toml"))
cmd, output := s.traefikCmd(withConfigFile("fixtures/simple_allowlist.toml"))
defer output(c)
err := cmd.Start()
@ -413,7 +491,7 @@ func (s *SimpleSuite) TestIPStrategyWhitelist(c *check.C) {
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 2*time.Second, try.BodyContains("override"))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 2*time.Second, try.BodyContains("override.remoteaddr.whitelist.docker.local"))
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 2*time.Second, try.BodyContains("override.remoteaddr.allowlist.docker.local"))
c.Assert(err, checker.IsNil)
testCases := []struct {
@ -425,31 +503,31 @@ func (s *SimpleSuite) TestIPStrategyWhitelist(c *check.C) {
{
desc: "override remote addr reject",
xForwardedFor: "8.8.8.8,8.8.8.8",
host: "override.remoteaddr.whitelist.docker.local",
host: "override.remoteaddr.allowlist.docker.local",
expectedStatusCode: 403,
},
{
desc: "override depth accept",
xForwardedFor: "8.8.8.8,10.0.0.1,127.0.0.1",
host: "override.depth.whitelist.docker.local",
host: "override.depth.allowlist.docker.local",
expectedStatusCode: 200,
},
{
desc: "override depth reject",
xForwardedFor: "10.0.0.1,8.8.8.8,127.0.0.1",
host: "override.depth.whitelist.docker.local",
host: "override.depth.allowlist.docker.local",
expectedStatusCode: 403,
},
{
desc: "override excludedIPs reject",
xForwardedFor: "10.0.0.3,10.0.0.1,10.0.0.2",
host: "override.excludedips.whitelist.docker.local",
host: "override.excludedips.allowlist.docker.local",
expectedStatusCode: 403,
},
{
desc: "override excludedIPs accept",
xForwardedFor: "8.8.8.8,10.0.0.1,10.0.0.2",
host: "override.excludedips.whitelist.docker.local",
host: "override.excludedips.allowlist.docker.local",
expectedStatusCode: 200,
},
}
@ -468,12 +546,12 @@ func (s *SimpleSuite) TestIPStrategyWhitelist(c *check.C) {
}
func (s *SimpleSuite) TestXForwardedHeaders(c *check.C) {
s.createComposeProject(c, "whitelist")
s.createComposeProject(c, "allowlist")
s.composeUp(c)
defer s.composeDown(c)
cmd, output := s.traefikCmd(withConfigFile("fixtures/simple_whitelist.toml"))
cmd, output := s.traefikCmd(withConfigFile("fixtures/simple_allowlist.toml"))
defer output(c)
err := cmd.Start()
@ -481,13 +559,13 @@ func (s *SimpleSuite) TestXForwardedHeaders(c *check.C) {
defer s.killCmd(cmd)
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 2*time.Second,
try.BodyContains("override.remoteaddr.whitelist.docker.local"))
try.BodyContains("override.remoteaddr.allowlist.docker.local"))
c.Assert(err, checker.IsNil)
req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000", nil)
c.Assert(err, checker.IsNil)
req.Host = "override.depth.whitelist.docker.local"
req.Host = "override.depth.allowlist.docker.local"
req.Header.Set("X-Forwarded-For", "8.8.8.8,10.0.0.1,127.0.0.1")
err = try.Request(req, 1*time.Second,

6
integration/tcp_test.go
View file

@ -241,8 +241,8 @@ func (s *TCPSuite) TestCatchAllNoTLSWithHTTPS(c *check.C) {
c.Assert(err, checker.IsNil)
}
func (s *TCPSuite) TestMiddlewareWhiteList(c *check.C) {
file := s.adaptFile(c, "fixtures/tcp/ip-whitelist.toml", struct {
func (s *TCPSuite) TestMiddlewareAllowList(c *check.C) {
file := s.adaptFile(c, "fixtures/tcp/ipallowlist.toml", struct {
WhoamiA string
WhoamiB string
}{
@ -261,7 +261,7 @@ func (s *TCPSuite) TestMiddlewareWhiteList(c *check.C) {
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 5*time.Second, try.StatusCodeIs(http.StatusOK), try.BodyContains("HostSNI(`whoami-a.test`)"))
c.Assert(err, checker.IsNil)
// Traefik not passes through, ipWhitelist closes connection
// Traefik not passes through, ipAllowList closes connection
_, err = guessWhoTLSPassthrough("127.0.0.1:8093", "whoami-a.test")
c.Assert(err, checker.ErrorMatches, "EOF")

12
pkg/api/handler_overview_test.go
View file

@ -173,24 +173,24 @@ func TestHandler_Overview(t *testing.T) {
},
},
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
"ipwhitelist1@myprovider": {
"ipallowlist1@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
Status: runtime.StatusEnabled,
},
"ipwhitelist2@myprovider": {
"ipallowlist2@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
},
"ipwhitelist3@myprovider": {
"ipallowlist3@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},

68
pkg/api/handler_tcp_test.go
View file

@ -512,25 +512,25 @@ func TestHandler_TCP(t *testing.T) {
path: "/api/tcp/middlewares",
conf: runtime.Configuration{
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
"ipwhitelist1@myprovider": {
"ipallowlist1@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
UsedBy: []string{"bar@myprovider", "test@myprovider"},
},
"ipwhitelist2@myprovider": {
"ipallowlist2@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.2/32"},
},
},
UsedBy: []string{"test@myprovider"},
},
"ipwhitelist1@anotherprovider": {
"ipallowlist1@anotherprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
@ -549,27 +549,27 @@ func TestHandler_TCP(t *testing.T) {
path: "/api/tcp/middlewares?status=enabled",
conf: runtime.Configuration{
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
"ipwhitelist@myprovider": {
"ipallowlist@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
UsedBy: []string{"bar@myprovider", "test@myprovider"},
Status: runtime.StatusEnabled,
},
"ipwhitelist2@myprovider": {
"ipallowlist2@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.2/32"},
},
},
UsedBy: []string{"test@myprovider"},
Status: runtime.StatusDisabled,
},
"ipwhitelist@anotherprovider": {
"ipallowlist@anotherprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
@ -586,30 +586,30 @@ func TestHandler_TCP(t *testing.T) {
},
{
desc: "middlewares filtered by search",
path: "/api/tcp/middlewares?search=ipwhitelist",
path: "/api/tcp/middlewares?search=ipallowlist",
conf: runtime.Configuration{
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
"bad@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
UsedBy: []string{"bar@myprovider", "test@myprovider"},
Status: runtime.StatusEnabled,
},
"ipwhitelist@myprovider": {
"ipallowlist@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
UsedBy: []string{"test@myprovider"},
Status: runtime.StatusDisabled,
},
"ipwhitelist@anotherprovider": {
"ipallowlist@anotherprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
@ -629,25 +629,25 @@ func TestHandler_TCP(t *testing.T) {
path: "/api/tcp/middlewares?page=2&per_page=1",
conf: runtime.Configuration{
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
"ipwhitelist@myprovider": {
"ipallowlist@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
UsedBy: []string{"bar@myprovider", "test@myprovider"},
},
"ipwhitelist2@myprovider": {
"ipallowlist2@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.2/32"},
},
},
UsedBy: []string{"test@myprovider"},
},
"ipwhitelist@anotherprovider": {
"ipallowlist@anotherprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
@ -663,28 +663,28 @@ func TestHandler_TCP(t *testing.T) {
},
{
desc: "one middleware by id",
path: "/api/tcp/middlewares/ipwhitelist@myprovider",
path: "/api/tcp/middlewares/ipallowlist@myprovider",
conf: runtime.Configuration{
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
"ipwhitelist@myprovider": {
"ipallowlist@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
UsedBy: []string{"bar@myprovider", "test@myprovider"},
},
"ipwhitelist2@myprovider": {
"ipallowlist2@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.2/32"},
},
},
UsedBy: []string{"test@myprovider"},
},
"ipwhitelist@anotherprovider": {
"ipallowlist@anotherprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
@ -694,7 +694,7 @@ func TestHandler_TCP(t *testing.T) {
},
expected: expected{
statusCode: http.StatusOK,
jsonFile: "testdata/tcpmiddleware-ipwhitelist.json",
jsonFile: "testdata/tcpmiddleware-ipallowlist.json",
},
},
{
@ -702,9 +702,9 @@ func TestHandler_TCP(t *testing.T) {
path: "/api/tcp/middlewares/foo@myprovider",
conf: runtime.Configuration{
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
"ipwhitelist@myprovider": {
"ipallowlist@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},

8
pkg/api/testdata/tcpmiddleware-ipwhitelist.json → pkg/api/testdata/tcpmiddleware-ipallowlist.json vendored
View file

@ -1,13 +1,13 @@
{
"ipWhiteList": {
"ipAllowList": {
"sourceRange": ["127.0.0.1/32"]
},
"name": "ipwhitelist@myprovider",
"name": "ipallowlist@myprovider",
"provider": "myprovider",
"status": "enabled",
"type": "ipwhitelist",
"type": "ipallowlist",
"usedBy": [
"bar@myprovider",
"test@myprovider"
]
}
}

14
pkg/api/testdata/tcpmiddlewares-filtered-search.json vendored
View file

@ -1,26 +1,26 @@
[
{
"ipWhiteList": {
"ipAllowList": {
"sourceRange": ["127.0.0.1/32"]
},
"name": "ipwhitelist@anotherprovider",
"name": "ipallowlist@anotherprovider",
"provider": "anotherprovider",
"status": "enabled",
"type": "ipwhitelist",
"type": "ipallowlist",
"usedBy": [
"bar@myprovider"
]
},
{
"ipWhiteList": {
"ipAllowList": {
"sourceRange": ["127.0.0.1/32"]
},
"name": "ipwhitelist@myprovider",
"name": "ipallowlist@myprovider",
"provider": "myprovider",
"status": "disabled",
"type": "ipwhitelist",
"type": "ipallowlist",
"usedBy": [
"test@myprovider"
]
}
]
]

14
pkg/api/testdata/tcpmiddlewares-filtered-status.json vendored
View file

@ -1,27 +1,27 @@
[
{
"ipWhiteList": {
"ipAllowList": {
"sourceRange": ["127.0.0.1/32"]
},
"name": "ipwhitelist@anotherprovider",
"name": "ipallowlist@anotherprovider",
"provider": "anotherprovider",
"status": "enabled",
"type": "ipwhitelist",
"type": "ipallowlist",
"usedBy": [
"bar@myprovider"
]
},
{
"ipWhiteList": {
"ipAllowList": {
"sourceRange": ["127.0.0.1/32"]
},
"name": "ipwhitelist@myprovider",
"name": "ipallowlist@myprovider",
"provider": "myprovider",
"status": "enabled",
"type": "ipwhitelist",
"type": "ipallowlist",
"usedBy": [
"bar@myprovider",
"test@myprovider"
]
}
]
]

8
pkg/api/testdata/tcpmiddlewares-page2.json vendored
View file

@ -1,14 +1,14 @@
[
{
"ipWhiteList": {
"ipAllowList": {
"sourceRange": ["127.0.0.1/32"]
},
"name": "ipwhitelist@anotherprovider",
"name": "ipallowlist@anotherprovider",
"provider": "anotherprovider",
"status": "enabled",
"type": "ipwhitelist",
"type": "ipallowlist",
"usedBy": [
"bar@myprovider"
]
}
]
]

20
pkg/api/testdata/tcpmiddlewares.json vendored
View file

@ -1,39 +1,39 @@
[
{
"ipWhiteList": {
"ipAllowList": {
"sourceRange": ["127.0.0.1/32"]
},
"name": "ipwhitelist1@anotherprovider",
"name": "ipallowlist1@anotherprovider",
"provider": "anotherprovider",
"status": "enabled",
"type": "ipwhitelist",
"type": "ipallowlist",
"usedBy": [
"bar@myprovider"
]
},
{
"ipWhiteList": {
"ipAllowList": {
"sourceRange": ["127.0.0.1/32"]
},
"name": "ipwhitelist1@myprovider",
"name": "ipallowlist1@myprovider",
"provider": "myprovider",
"status": "enabled",
"type": "ipwhitelist",
"type": "ipallowlist",
"usedBy": [
"bar@myprovider",
"test@myprovider"
]
},
{
"ipWhiteList": {
"ipAllowList": {
"sourceRange": ["127.0.0.2/32"]
},
"name": "ipwhitelist2@myprovider",
"name": "ipallowlist2@myprovider",
"provider": "myprovider",
"status": "enabled",
"type": "ipwhitelist",
"type": "ipallowlist",
"usedBy": [
"test@myprovider"
]
}
]
]

6
pkg/config/dynamic/fixtures/sample.toml
View file

@ -358,11 +358,11 @@
[http.middlewares.Middleware5.chain]
middlewares = ["foobar", "foobar"]
[http.middlewares.Middleware6]
[http.middlewares.Middleware6.ipWhiteList]
[http.middlewares.Middleware6.ipAllowList]
sourceRange = ["foobar", "foobar"]
[http.middlewares.Middleware7]
[http.middlewares.Middleware7.ipWhiteList]
[http.middlewares.Middleware7.ipWhiteList.ipStrategy]
[http.middlewares.Middleware7.ipAllowList]
[http.middlewares.Middleware7.ipAllowList.ipStrategy]
depth = 42
excludedIPs = ["foobar", "foobar"]
[http.middlewares.Middleware8]

21
pkg/config/dynamic/middlewares.go
View file

@ -18,7 +18,7 @@ type Middleware struct {
ReplacePath *ReplacePath `json:"replacePath,omitempty" toml:"replacePath,omitempty" yaml:"replacePath,omitempty" export:"true"`
ReplacePathRegex *ReplacePathRegex `json:"replacePathRegex,omitempty" toml:"replacePathRegex,omitempty" yaml:"replacePathRegex,omitempty" export:"true"`
Chain *Chain `json:"chain,omitempty" toml:"chain,omitempty" yaml:"chain,omitempty" export:"true"`
IPWhiteList *IPWhiteList `json:"ipWhiteList,omitempty" toml:"ipWhiteList,omitempty" yaml:"ipWhiteList,omitempty" export:"true"`
IPAllowList *IPAllowList `json:"ipAllowList,omitempty" toml:"ipAllowList,omitempty" yaml:"ipAllowList,omitempty" export:"true"`
Headers *Headers `json:"headers,omitempty" toml:"headers,omitempty" yaml:"headers,omitempty" export:"true"`
Errors *ErrorPage `json:"errors,omitempty" toml:"errors,omitempty" yaml:"errors,omitempty" export:"true"`
RateLimit *RateLimit `json:"rateLimit,omitempty" toml:"rateLimit,omitempty" yaml:"rateLimit,omitempty" export:"true"`
@ -34,12 +34,23 @@ type Middleware struct {
PassTLSClientCert *PassTLSClientCert `json:"passTLSClientCert,omitempty" toml:"passTLSClientCert,omitempty" yaml:"passTLSClientCert,omitempty" export:"true"`
Retry *Retry `json:"retry,omitempty" toml:"retry,omitempty" yaml:"retry,omitempty" export:"true"`
ContentType *ContentType `json:"contentType,omitempty" toml:"contentType,omitempty" yaml:"contentType,omitempty" export:"true"`
GrpcWeb *GrpcWeb `json:"grpcWeb,omitempty" toml:"grpcWeb,omitempty" yaml:"grpcWeb,omitempty" export:"true"`
Plugin map[string]PluginConf `json:"plugin,omitempty" toml:"plugin,omitempty" yaml:"plugin,omitempty" export:"true"`
}
// +k8s:deepcopy-gen=true
// GrpcWeb holds the gRPC web middleware configuration.
// This middleware converts a gRPC web request to an HTTP/2 gRPC request.
type GrpcWeb struct {
// AllowOrigins is a list of allowable origins.
// Can also be a wildcard origin "*".
AllowOrigins []string `json:"allowOrigins,omitempty" toml:"allowOrigins,omitempty" yaml:"allowOrigins,omitempty"`
}
// +k8s:deepcopy-gen=true
// ContentType holds the content-type middleware configuration.
// This middleware exists to enable the correct behavior until at least the default one can be changed in a future version.
type ContentType struct {
@ -346,7 +357,7 @@ func (h *Headers) HasSecureHeadersDefined() bool {
// +k8s:deepcopy-gen=true
// IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
// More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy
// More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy
type IPStrategy struct {
// Depth tells Traefik to use the X-Forwarded-For header and take the IP located at the depth position (starting from the right).
Depth int `json:"depth,omitempty" toml:"depth,omitempty" yaml:"depth,omitempty" export:"true"`
@ -385,10 +396,10 @@ func (s *IPStrategy) Get() (ip.Strategy, error) {
// +k8s:deepcopy-gen=true
// IPWhiteList holds the IP whitelist middleware configuration.
// IPAllowList holds the IP allowlist middleware configuration.
// This middleware accepts / refuses requests based on the client IP.
// More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/
type IPWhiteList struct {
// More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/
type IPAllowList struct {
// SourceRange defines the set of allowed IPs (or ranges of allowed IPs by using CIDR notation).
SourceRange []string `json:"sourceRange,omitempty" toml:"sourceRange,omitempty" yaml:"sourceRange,omitempty"`
IPStrategy *IPStrategy `json:"ipStrategy,omitempty" toml:"ipStrategy,omitempty" yaml:"ipStrategy,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`

6
pkg/config/dynamic/tcp_middlewares.go
View file

@ -5,7 +5,7 @@ package dynamic
// TCPMiddleware holds the TCPMiddleware configuration.
type TCPMiddleware struct {
InFlightConn *TCPInFlightConn `json:"inFlightConn,omitempty" toml:"inFlightConn,omitempty" yaml:"inFlightConn,omitempty" export:"true"`
IPWhiteList *TCPIPWhiteList `json:"ipWhiteList,omitempty" toml:"ipWhiteList,omitempty" yaml:"ipWhiteList,omitempty" export:"true"`
IPAllowList *TCPIPAllowList `json:"ipAllowList,omitempty" toml:"ipAllowList,omitempty" yaml:"ipAllowList,omitempty" export:"true"`
}
// +k8s:deepcopy-gen=true
@ -22,9 +22,9 @@ type TCPInFlightConn struct {
// +k8s:deepcopy-gen=true
// TCPIPWhiteList holds the TCP IPWhiteList middleware configuration.
// TCPIPAllowList holds the TCP IPAllowList middleware configuration.
// This middleware accepts/refuses connections based on the client IP.
type TCPIPWhiteList struct {
type TCPIPAllowList struct {
// SourceRange defines the allowed IPs (or ranges of allowed IPs by using CIDR notation).
SourceRange []string `json:"sourceRange,omitempty" toml:"sourceRange,omitempty" yaml:"sourceRange,omitempty"`
}

98
pkg/config/dynamic/zz_generated.deepcopy.go
View file

@ -353,6 +353,27 @@ func (in *ForwardingTimeouts) DeepCopy() *ForwardingTimeouts {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GrpcWeb) DeepCopyInto(out *GrpcWeb) {
*out = *in
if in.AllowOrigins != nil {
in, out := &in.AllowOrigins, &out.AllowOrigins
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GrpcWeb.
func (in *GrpcWeb) DeepCopy() *GrpcWeb {
if in == nil {
return nil
}
out := new(GrpcWeb)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *HTTPConfiguration) DeepCopyInto(out *HTTPConfiguration) {
*out = *in
@ -532,6 +553,32 @@ func (in *HealthCheck) DeepCopy() *HealthCheck {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *IPAllowList) DeepCopyInto(out *IPAllowList) {
*out = *in
if in.SourceRange != nil {
in, out := &in.SourceRange, &out.SourceRange
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.IPStrategy != nil {
in, out := &in.IPStrategy, &out.IPStrategy
*out = new(IPStrategy)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPAllowList.
func (in *IPAllowList) DeepCopy() *IPAllowList {
if in == nil {
return nil
}
out := new(IPAllowList)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *IPStrategy) DeepCopyInto(out *IPStrategy) {
*out = *in
@ -553,32 +600,6 @@ func (in *IPStrategy) DeepCopy() *IPStrategy {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *IPWhiteList) DeepCopyInto(out *IPWhiteList) {
*out = *in
if in.SourceRange != nil {
in, out := &in.SourceRange, &out.SourceRange
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.IPStrategy != nil {
in, out := &in.IPStrategy, &out.IPStrategy
*out = new(IPStrategy)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPWhiteList.
func (in *IPWhiteList) DeepCopy() *IPWhiteList {
if in == nil {
return nil
}
out := new(IPWhiteList)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *InFlightReq) DeepCopyInto(out *InFlightReq) {
*out = *in
@ -654,9 +675,9 @@ func (in *Middleware) DeepCopyInto(out *Middleware) {
*out = new(Chain)
(*in).DeepCopyInto(*out)
}
if in.IPWhiteList != nil {
in, out := &in.IPWhiteList, &out.IPWhiteList
*out = new(IPWhiteList)
if in.IPAllowList != nil {
in, out := &in.IPAllowList, &out.IPAllowList
*out = new(IPAllowList)
(*in).DeepCopyInto(*out)
}
if in.Headers != nil {
@ -734,6 +755,11 @@ func (in *Middleware) DeepCopyInto(out *Middleware) {
*out = new(ContentType)
**out = **in
}
if in.GrpcWeb != nil {
in, out := &in.GrpcWeb, &out.GrpcWeb
*out = new(GrpcWeb)
(*in).DeepCopyInto(*out)
}
if in.Plugin != nil {
in, out := &in.Plugin, &out.Plugin
*out = make(map[string]PluginConf, len(*in))
@ -1384,7 +1410,7 @@ func (in *TCPConfiguration) DeepCopy() *TCPConfiguration {
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TCPIPWhiteList) DeepCopyInto(out *TCPIPWhiteList) {
func (in *TCPIPAllowList) DeepCopyInto(out *TCPIPAllowList) {
*out = *in
if in.SourceRange != nil {
in, out := &in.SourceRange, &out.SourceRange
@ -1394,12 +1420,12 @@ func (in *TCPIPWhiteList) DeepCopyInto(out *TCPIPWhiteList) {
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPIPWhiteList.
func (in *TCPIPWhiteList) DeepCopy() *TCPIPWhiteList {
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPIPAllowList.
func (in *TCPIPAllowList) DeepCopy() *TCPIPAllowList {
if in == nil {
return nil
}
out := new(TCPIPWhiteList)
out := new(TCPIPAllowList)
in.DeepCopyInto(out)
return out
}
@ -1428,9 +1454,9 @@ func (in *TCPMiddleware) DeepCopyInto(out *TCPMiddleware) {
*out = new(TCPInFlightConn)
**out = **in
}
if in.IPWhiteList != nil {
in, out := &in.IPWhiteList, &out.IPWhiteList
*out = new(TCPIPWhiteList)
if in.IPAllowList != nil {
in, out := &in.IPAllowList, &out.IPAllowList
*out = new(TCPIPAllowList)
(*in).DeepCopyInto(*out)
}
return

24
pkg/config/label/label_test.go
View file

@ -82,9 +82,9 @@ func TestDecodeConfiguration(t *testing.T) {
"traefik.http.middlewares.Middleware8.headers.stsincludesubdomains": "true",
"traefik.http.middlewares.Middleware8.headers.stspreload": "true",
"traefik.http.middlewares.Middleware8.headers.stsseconds": "42",
"traefik.http.middlewares.Middleware9.ipwhitelist.ipstrategy.depth": "42",
"traefik.http.middlewares.Middleware9.ipwhitelist.ipstrategy.excludedips": "foobar, fiibar",
"traefik.http.middlewares.Middleware9.ipwhitelist.sourcerange": "foobar, fiibar",
"traefik.http.middlewares.Middleware9.ipallowlist.ipstrategy.depth": "42",
"traefik.http.middlewares.Middleware9.ipallowlist.ipstrategy.excludedips": "foobar, fiibar",
"traefik.http.middlewares.Middleware9.ipallowlist.sourcerange": "foobar, fiibar",
"traefik.http.middlewares.Middleware10.inflightreq.amount": "42",
"traefik.http.middlewares.Middleware10.inflightreq.sourcecriterion.ipstrategy.depth": "42",
"traefik.http.middlewares.Middleware10.inflightreq.sourcecriterion.ipstrategy.excludedips": "foobar, fiibar",
@ -180,7 +180,7 @@ func TestDecodeConfiguration(t *testing.T) {
"traefik.http.services.Service1.loadbalancer.sticky": "false",
"traefik.http.services.Service1.loadbalancer.sticky.cookie.name": "fui",
"traefik.tcp.middlewares.Middleware0.ipwhitelist.sourcerange": "foobar, fiibar",
"traefik.tcp.middlewares.Middleware0.ipallowlist.sourcerange": "foobar, fiibar",
"traefik.tcp.middlewares.Middleware2.inflightconn.amount": "42",
"traefik.tcp.routers.Router0.rule": "foobar",
"traefik.tcp.routers.Router0.priority": "42",
@ -244,7 +244,7 @@ func TestDecodeConfiguration(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{
"Middleware0": {
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"foobar", "fiibar"},
},
},
@ -611,7 +611,7 @@ func TestDecodeConfiguration(t *testing.T) {
},
},
"Middleware9": {
IPWhiteList: &dynamic.IPWhiteList{
IPAllowList: &dynamic.IPAllowList{
SourceRange: []string{
"foobar",
"fiibar",
@ -741,7 +741,7 @@ func TestEncodeConfiguration(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{
"Middleware0": {
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"foobar", "fiibar"},
},
},
@ -1113,7 +1113,7 @@ func TestEncodeConfiguration(t *testing.T) {
},
},
"Middleware9": {
IPWhiteList: &dynamic.IPWhiteList{
IPAllowList: &dynamic.IPAllowList{
SourceRange: []string{
"foobar",
"fiibar",
@ -1265,9 +1265,9 @@ func TestEncodeConfiguration(t *testing.T) {
"traefik.HTTP.Middlewares.Middleware8.Headers.STSIncludeSubdomains": "true",
"traefik.HTTP.Middlewares.Middleware8.Headers.STSPreload": "true",
"traefik.HTTP.Middlewares.Middleware8.Headers.STSSeconds": "42",
"traefik.HTTP.Middlewares.Middleware9.IPWhiteList.IPStrategy.Depth": "42",
"traefik.HTTP.Middlewares.Middleware9.IPWhiteList.IPStrategy.ExcludedIPs": "foobar, fiibar",
"traefik.HTTP.Middlewares.Middleware9.IPWhiteList.SourceRange": "foobar, fiibar",
"traefik.HTTP.Middlewares.Middleware9.IPAllowList.IPStrategy.Depth": "42",
"traefik.HTTP.Middlewares.Middleware9.IPAllowList.IPStrategy.ExcludedIPs": "foobar, fiibar",
"traefik.HTTP.Middlewares.Middleware9.IPAllowList.SourceRange": "foobar, fiibar",
"traefik.HTTP.Middlewares.Middleware10.InFlightReq.Amount": "42",
"traefik.HTTP.Middlewares.Middleware10.InFlightReq.SourceCriterion.IPStrategy.Depth": "42",
"traefik.HTTP.Middlewares.Middleware10.InFlightReq.SourceCriterion.IPStrategy.ExcludedIPs": "foobar, fiibar",
@ -1360,7 +1360,7 @@ func TestEncodeConfiguration(t *testing.T) {
"traefik.HTTP.Services.Service1.LoadBalancer.server.Scheme": "foobar",
"traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Headers.name0": "foobar",
"traefik.TCP.Middlewares.Middleware0.IPWhiteList.SourceRange": "foobar, fiibar",
"traefik.TCP.Middlewares.Middleware0.IPAllowList.SourceRange": "foobar, fiibar",
"traefik.TCP.Middlewares.Middleware2.InFlightConn.Amount": "42",
"traefik.TCP.Routers.Router0.Rule": "foobar",
"traefik.TCP.Routers.Router0.Priority": "42",

10
pkg/ip/checker_test.go
View file

@ -11,25 +11,25 @@ import (
func TestIsAuthorized(t *testing.T) {
testCases := []struct {
desc string
whiteList []string
allowList []string
remoteAddr string
authorized bool
}{
{
desc: "remoteAddr not in range",
whiteList: []string{"1.2.3.4/24"},
allowList: []string{"1.2.3.4/24"},
remoteAddr: "10.2.3.1:123",
authorized: false,
},
{
desc: "remoteAddr in range",
whiteList: []string{"1.2.3.4/24"},
allowList: []string{"1.2.3.4/24"},
remoteAddr: "1.2.3.1:123",
authorized: true,
},
{
desc: "octal ip in remoteAddr",
whiteList: []string{"127.2.3.4/24"},
allowList: []string{"127.2.3.4/24"},
remoteAddr: "0127.2.3.1:123",
authorized: false,
},
@ -40,7 +40,7 @@ func TestIsAuthorized(t *testing.T) {
t.Run(test.desc, func(t *testing.T) {
t.Parallel()
ipChecker, err := NewChecker(test.whiteList)
ipChecker, err := NewChecker(test.allowList)
require.NoError(t, err)
err = ipChecker.IsAuthorized(test.remoteAddr)

16
pkg/middlewares/accesslog/logger.go
View file

@ -227,6 +227,15 @@ func (h *Handler) ServeHTTP(rw http.ResponseWriter, req *http.Request, next http
core[ClientHost] = forwardedFor
}
ctx := req.Context()
capt, err := capture.FromContext(ctx)
if err != nil {
log.FromContext(log.With(ctx, log.Str(log.MiddlewareType, "AccessLogs"))).
WithError(err).
Errorf("Could not get Capture")
return
}
next.ServeHTTP(rw, reqWithDataTable)
if _, ok := core[ClientUsername]; !ok {
@ -237,13 +246,6 @@ func (h *Handler) ServeHTTP(rw http.ResponseWriter, req *http.Request, next http
headers: rw.Header().Clone(),
}
ctx := req.Context()
capt, err := capture.FromContext(ctx)
if err != nil {
log.FromContext(log.With(ctx, log.Str(log.MiddlewareType, "AccessLogs"))).Errorf("Could not get Capture: %v", err)
return
}
logDataTable.DownstreamResponse.status = capt.StatusCode()
logDataTable.DownstreamResponse.size = capt.ResponseSize()
logDataTable.Request.size = capt.RequestSize()

6
pkg/middlewares/accesslog/logger_test.go
View file

@ -57,7 +57,7 @@ func TestLogRotation(t *testing.T) {
})
chain := alice.New()
chain = chain.Append(capture.WrapHandler(&capture.Handler{}))
chain = chain.Append(capture.Wrap)
chain = chain.Append(WrapHandler(logHandler))
handler, err := chain.Then(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
rw.WriteHeader(http.StatusOK)
@ -210,7 +210,7 @@ func TestLoggerHeaderFields(t *testing.T) {
}
chain := alice.New()
chain = chain.Append(capture.WrapHandler(&capture.Handler{}))
chain = chain.Append(capture.Wrap)
chain = chain.Append(WrapHandler(logger))
handler, err := chain.Then(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
rw.WriteHeader(http.StatusOK)
@ -784,7 +784,7 @@ func doLoggingTLSOpt(t *testing.T, config *types.AccessLog, enableTLS bool) {
}
chain := alice.New()
chain = chain.Append(capture.WrapHandler(&capture.Handler{}))
chain = chain.Append(capture.Wrap)
chain = chain.Append(WrapHandler(logger))
handler, err := chain.Then(http.HandlerFunc(logWriterTestHandlerFunc))
require.NoError(t, err)

79
pkg/middlewares/capture/capture.go
View file

@ -3,9 +3,8 @@
// For another middleware to get those attributes of a request/response, this middleware
// should be added before in the middleware chain.
//
// handler, _ := NewHandler()
// chain := alice.New().
// Append(WrapHandler(handler)).
// Append(capture.Wrap).
// Append(myOtherMiddleware).
// then(...)
//
@ -33,7 +32,6 @@ import (
"net"
"net/http"
"github.com/containous/alice"
"github.com/traefik/traefik/v2/pkg/middlewares"
)
@ -41,62 +39,67 @@ type key string
const capturedData key = "capturedData"
// Handler will store each request data to its context.
type Handler struct{}
// WrapHandler wraps capture handler into an Alice Constructor.
func WrapHandler(handler *Handler) alice.Constructor {
return func(next http.Handler) (http.Handler, error) {
return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
handler.ServeHTTP(rw, req, next)
}), nil
}
// Wrap returns a new handler that inserts a Capture into the given handler.
// It satisfies the alice.Constructor type.
func Wrap(handler http.Handler) (http.Handler, error) {
c := Capture{}
return c.Reset(handler), nil
}
func (h *Handler) ServeHTTP(rw http.ResponseWriter, req *http.Request, next http.Handler) {
c := Capture{}
if req.Body != nil {
readCounter := &readCounter{source: req.Body}
c.rr = readCounter
req.Body = readCounter
// FromContext returns the Capture value found in ctx, or an empty Capture otherwise.
func FromContext(ctx context.Context) (Capture, error) {
c := ctx.Value(capturedData)
if c == nil {
return Capture{}, errors.New("value not found in context")
}
responseWriter := newResponseWriter(rw)
c.rw = responseWriter
ctx := context.WithValue(req.Context(), capturedData, &c)
next.ServeHTTP(responseWriter, req.WithContext(ctx))
capt, ok := c.(*Capture)
if !ok {
return Capture{}, errors.New("value stored in context is not a *Capture")
}
return *capt, nil
}
// Capture is the object populated by the capture middleware,
// allowing to gather information about the request and response.
// holding probes that allow to gather information about the request and response.
type Capture struct {
rr *readCounter
rw responseWriter
}
// FromContext returns the Capture value found in ctx, or an empty Capture otherwise.
func FromContext(ctx context.Context) (*Capture, error) {
c := ctx.Value(capturedData)
if c == nil {
return nil, errors.New("value not found")
}
capt, ok := c.(*Capture)
if !ok {
return nil, errors.New("value stored in Context is not a *Capture")
}
return capt, nil
// NeedsReset returns whether the given http.ResponseWriter is the capture's probe.
func (c *Capture) NeedsReset(rw http.ResponseWriter) bool {
return c.rw != rw
}
func (c Capture) ResponseSize() int64 {
// Reset returns a new handler that renews the Capture's probes, and inserts
// them when deferring to next.
func (c *Capture) Reset(next http.Handler) http.Handler {
return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
ctx := context.WithValue(req.Context(), capturedData, c)
newReq := req.WithContext(ctx)
if newReq.Body != nil {
readCounter := &readCounter{source: newReq.Body}
c.rr = readCounter
newReq.Body = readCounter
}
c.rw = newResponseWriter(rw)
next.ServeHTTP(c.rw, newReq)
})
}
func (c *Capture) ResponseSize() int64 {
return c.rw.Size()
}
func (c Capture) StatusCode() int {
func (c *Capture) StatusCode() int {
return c.rw.Status()
}
// RequestSize returns the size of the request's body if it applies,
// zero otherwise.
func (c Capture) RequestSize() int64 {
func (c *Capture) RequestSize() int64 {
if c.rr == nil {
return 0
}

6
pkg/middlewares/capture/capture_test.go
View file

@ -38,9 +38,8 @@ func TestCapture(t *testing.T) {
assert.Equal(t, "bar", string(all))
})
wrapped := WrapHandler(&Handler{})
chain := alice.New()
chain = chain.Append(wrapped)
chain = chain.Append(Wrap)
chain = chain.Append(wrapMiddleware)
handlers, err := chain.Then(handler)
require.NoError(t, err)
@ -142,8 +141,7 @@ func BenchmarkCapture(b *testing.B) {
chain := alice.New()
if test.capture || test.body {
captureWrapped := WrapHandler(&Handler{})
chain = chain.Append(captureWrapped)
chain = chain.Append(Wrap)
}
handlers, err := chain.Then(next)
require.NoError(b, err)

27
pkg/middlewares/grpcweb/grpcweb.go Normal file
View file

@ -0,0 +1,27 @@
package grpcweb
import (
"context"
"net/http"
"github.com/improbable-eng/grpc-web/go/grpcweb"
"github.com/traefik/traefik/v2/pkg/config/dynamic"
"github.com/traefik/traefik/v2/pkg/log"
"github.com/traefik/traefik/v2/pkg/middlewares"
)
const typeName = "grpc-web"
// New builds a new gRPC web request converter.
func New(ctx context.Context, next http.Handler, config dynamic.GrpcWeb, name string) http.Handler {
log.FromContext(middlewares.GetLoggerCtx(ctx, name, typeName)).Debug("Creating middleware")
return grpcweb.WrapHandler(next, grpcweb.WithCorsForRegisteredEndpointsOnly(false), grpcweb.WithOriginFunc(func(origin string) bool {
for _, originCfg := range config.AllowOrigins {
if originCfg == "*" || originCfg == origin {
return true
}
}
return false
}))
}

38
pkg/middlewares/ipwhitelist/ip_whitelist.go → pkg/middlewares/ipallowlist/ip_allowlist.go
View file

@ -1,4 +1,4 @@
package ipwhitelist
package ipallowlist
import (
"context"
@ -15,29 +15,29 @@ import (
)
const (
typeName = "IPWhiteLister"
typeName = "IPAllowLister"
)
// ipWhiteLister is a middleware that provides Checks of the Requesting IP against a set of Whitelists.
type ipWhiteLister struct {
// ipAllowLister is a middleware that provides Checks of the Requesting IP against a set of Allowlists.
type ipAllowLister struct {
next http.Handler
whiteLister *ip.Checker
allowLister *ip.Checker
strategy ip.Strategy
name string
}
// New builds a new IPWhiteLister given a list of CIDR-Strings to whitelist.
func New(ctx context.Context, next http.Handler, config dynamic.IPWhiteList, name string) (http.Handler, error) {
// New builds a new IPAllowLister given a list of CIDR-Strings to allow.
func New(ctx context.Context, next http.Handler, config dynamic.IPAllowList, name string) (http.Handler, error) {
logger := log.FromContext(middlewares.GetLoggerCtx(ctx, name, typeName))
logger.Debug("Creating middleware")
if len(config.SourceRange) == 0 {
return nil, errors.New("sourceRange is empty, IPWhiteLister not created")
return nil, errors.New("sourceRange is empty, IPAllowLister not created")
}
checker, err := ip.NewChecker(config.SourceRange)
if err != nil {
return nil, fmt.Errorf("cannot parse CIDR whitelist %s: %w", config.SourceRange, err)
return nil, fmt.Errorf("cannot parse CIDRs %s: %w", config.SourceRange, err)
}
strategy, err := config.IPStrategy.Get()
@ -45,26 +45,26 @@ func New(ctx context.Context, next http.Handler, config dynamic.IPWhiteList, nam
return nil, err
}
logger.Debugf("Setting up IPWhiteLister with sourceRange: %s", config.SourceRange)
logger.Debugf("Setting up IPAllowLister with sourceRange: %s", config.SourceRange)
return &ipWhiteLister{
return &ipAllowLister{
strategy: strategy,
whiteLister: checker,
allowLister: checker,
next: next,
name: name,
}, nil
}
func (wl *ipWhiteLister) GetTracingInformation() (string, ext.SpanKindEnum) {
return wl.name, tracing.SpanKindNoneEnum
func (al *ipAllowLister) GetTracingInformation() (string, ext.SpanKindEnum) {
return al.name, tracing.SpanKindNoneEnum
}
func (wl *ipWhiteLister) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
ctx := middlewares.GetLoggerCtx(req.Context(), wl.name, typeName)
func (al *ipAllowLister) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
ctx := middlewares.GetLoggerCtx(req.Context(), al.name, typeName)
logger := log.FromContext(ctx)
clientIP := wl.strategy.GetIP(req)
err := wl.whiteLister.IsAuthorized(clientIP)
clientIP := al.strategy.GetIP(req)
err := al.allowLister.IsAuthorized(clientIP)
if err != nil {
msg := fmt.Sprintf("Rejecting IP %s: %v", clientIP, err)
logger.Debug(msg)
@ -74,7 +74,7 @@ func (wl *ipWhiteLister) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
}
logger.Debugf("Accepting IP %s", clientIP)
wl.next.ServeHTTP(rw, req)
al.next.ServeHTTP(rw, req)
}
func reject(ctx context.Context, rw http.ResponseWriter) {

26
pkg/middlewares/ipwhitelist/ip_whitelist_test.go → pkg/middlewares/ipallowlist/ip_allowlist_test.go
View file

@ -1,4 +1,4 @@
package ipwhitelist
package ipallowlist
import (
"context"
@ -11,22 +11,22 @@ import (
"github.com/traefik/traefik/v2/pkg/config/dynamic"
)
func TestNewIPWhiteLister(t *testing.T) {
func TestNewIPAllowLister(t *testing.T) {
testCases := []struct {
desc string
whiteList dynamic.IPWhiteList
allowList dynamic.IPAllowList
expectedError bool
}{
{
desc: "invalid IP",
whiteList: dynamic.IPWhiteList{
allowList: dynamic.IPAllowList{
SourceRange: []string{"foo"},
},
expectedError: true,
},
{
desc: "valid IP",
whiteList: dynamic.IPWhiteList{
allowList: dynamic.IPAllowList{
SourceRange: []string{"10.10.10.10"},
},
},
@ -38,28 +38,28 @@ func TestNewIPWhiteLister(t *testing.T) {
t.Parallel()
next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})
whiteLister, err := New(context.Background(), next, test.whiteList, "traefikTest")
allowLister, err := New(context.Background(), next, test.allowList, "traefikTest")
if test.expectedError {
assert.Error(t, err)
} else {
require.NoError(t, err)
assert.NotNil(t, whiteLister)
assert.NotNil(t, allowLister)
}
})
}
}
func TestIPWhiteLister_ServeHTTP(t *testing.T) {
func TestIPAllowLister_ServeHTTP(t *testing.T) {
testCases := []struct {
desc string
whiteList dynamic.IPWhiteList
allowList dynamic.IPAllowList
remoteAddr string
expected int
}{
{
desc: "authorized with remote address",
whiteList: dynamic.IPWhiteList{
allowList: dynamic.IPAllowList{
SourceRange: []string{"20.20.20.20"},
},
remoteAddr: "20.20.20.20:1234",
@ -67,7 +67,7 @@ func TestIPWhiteLister_ServeHTTP(t *testing.T) {
},
{
desc: "non authorized with remote address",
whiteList: dynamic.IPWhiteList{
allowList: dynamic.IPAllowList{
SourceRange: []string{"20.20.20.20"},
},
remoteAddr: "20.20.20.21:1234",
@ -81,7 +81,7 @@ func TestIPWhiteLister_ServeHTTP(t *testing.T) {
t.Parallel()
next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})
whiteLister, err := New(context.Background(), next, test.whiteList, "traefikTest")
allowLister, err := New(context.Background(), next, test.allowList, "traefikTest")
require.NoError(t, err)
recorder := httptest.NewRecorder()
@ -92,7 +92,7 @@ func TestIPWhiteLister_ServeHTTP(t *testing.T) {
req.RemoteAddr = test.remoteAddr
}
whiteLister.ServeHTTP(recorder, req)
allowLister.ServeHTTP(recorder, req)
assert.Equal(t, test.expected, recorder.Code)
})

21
pkg/middlewares/metrics/metrics.go
View file

@ -24,6 +24,7 @@ const (
protoWebsocket = "websocket"
typeName = "Metrics"
nameEntrypoint = "metrics-entrypoint"
nameRouter = "metrics-router"
nameService = "metrics-service"
)
@ -56,7 +57,7 @@ func NewEntryPointMiddleware(ctx context.Context, next http.Handler, registry me
// NewRouterMiddleware creates a new metrics middleware for a Router.
func NewRouterMiddleware(ctx context.Context, next http.Handler, registry metrics.Registry, routerName string, serviceName string) http.Handler {
log.FromContext(middlewares.GetLoggerCtx(ctx, nameEntrypoint, typeName)).Debug("Creating middleware")
log.FromContext(middlewares.GetLoggerCtx(ctx, nameRouter, typeName)).Debug("Creating middleware")
return &metricsMiddleware{
next: next,
@ -125,17 +126,25 @@ func (m *metricsMiddleware) ServeHTTP(rw http.ResponseWriter, req *http.Request)
m.reqsTLSCounter.With(tlsLabels...).Add(1)
}
start := time.Now()
m.next.ServeHTTP(rw, req)
ctx := req.Context()
capt, err := capture.FromContext(ctx)
if err != nil {
log.FromContext(middlewares.GetLoggerCtx(ctx, nameEntrypoint, typeName)).Errorf("Could not get Capture: %w", err)
for i := 0; i < len(m.baseLabels); i += 2 {
ctx = log.With(ctx, log.Str(m.baseLabels[i], m.baseLabels[i+1]))
}
log.FromContext(ctx).WithError(err).Errorf("Could not get Capture")
return
}
next := m.next
if capt.NeedsReset(rw) {
next = capt.Reset(m.next)
}
start := time.Now()
next.ServeHTTP(rw, req)
labels = append(labels, "code", strconv.Itoa(capt.StatusCode()))
m.reqDurationHistogram.With(labels...).ObserveFromStart(start)
m.reqsCounter.With(labels...).Add(1)

2
pkg/middlewares/tcp/inflightconn/inflight_conn.go
View file

@ -1,4 +1,4 @@
package tcpinflightconn
package inflightconn
import (
"context"

2
pkg/middlewares/tcp/inflightconn/inflight_conn_test.go
View file

@ -1,4 +1,4 @@
package tcpinflightconn
package inflightconn
import (
"context"

32
pkg/middlewares/tcp/ipwhitelist/ip_whitelist.go → pkg/middlewares/tcp/ipallowlist/ip_allowlist.go
View file

@ -1,4 +1,4 @@
package tcpipwhitelist
package ipallowlist
import (
"context"
@ -13,46 +13,46 @@ import (
)
const (
typeName = "IPWhiteListerTCP"
typeName = "IPAllowListerTCP"
)
// ipWhiteLister is a middleware that provides Checks of the Requesting IP against a set of Whitelists.
type ipWhiteLister struct {
// ipAllowLister is a middleware that provides Checks of the Requesting IP against a set of Allowlists.
type ipAllowLister struct {
next tcp.Handler
whiteLister *ip.Checker
allowLister *ip.Checker
name string
}
// New builds a new TCP IPWhiteLister given a list of CIDR-Strings to whitelist.
func New(ctx context.Context, next tcp.Handler, config dynamic.TCPIPWhiteList, name string) (tcp.Handler, error) {
// New builds a new TCP IPAllowLister given a list of CIDR-Strings to allow.
func New(ctx context.Context, next tcp.Handler, config dynamic.TCPIPAllowList, name string) (tcp.Handler, error) {
logger := log.FromContext(middlewares.GetLoggerCtx(ctx, name, typeName))
logger.Debug("Creating middleware")
if len(config.SourceRange) == 0 {
return nil, errors.New("sourceRange is empty, IPWhiteLister not created")
return nil, errors.New("sourceRange is empty, IPAllowLister not created")
}
checker, err := ip.NewChecker(config.SourceRange)
if err != nil {
return nil, fmt.Errorf("cannot parse CIDR whitelist %s: %w", config.SourceRange, err)
return nil, fmt.Errorf("cannot parse CIDRs %s: %w", config.SourceRange, err)
}
logger.Debugf("Setting up IPWhiteLister with sourceRange: %s", config.SourceRange)
logger.Debugf("Setting up IPAllowLister with sourceRange: %s", config.SourceRange)
return &ipWhiteLister{
whiteLister: checker,
return &ipAllowLister{
allowLister: checker,
next: next,
name: name,
}, nil
}
func (wl *ipWhiteLister) ServeTCP(conn tcp.WriteCloser) {
ctx := middlewares.GetLoggerCtx(context.Background(), wl.name, typeName)
func (al *ipAllowLister) ServeTCP(conn tcp.WriteCloser) {
ctx := middlewares.GetLoggerCtx(context.Background(), al.name, typeName)
logger := log.FromContext(ctx)
addr := conn.RemoteAddr().String()
err := wl.whiteLister.IsAuthorized(addr)
err := al.allowLister.IsAuthorized(addr)
if err != nil {
logger.Errorf("Connection from %s rejected: %v", addr, err)
conn.Close()
@ -61,5 +61,5 @@ func (wl *ipWhiteLister) ServeTCP(conn tcp.WriteCloser) {
logger.Debugf("Connection from %s accepted", addr)
wl.next.ServeTCP(conn)
al.next.ServeTCP(conn)
}

28
pkg/middlewares/tcp/ipwhitelist/ip_whitelist_test.go → pkg/middlewares/tcp/ipallowlist/ip_allowlist_test.go
View file

@ -1,4 +1,4 @@
package tcpipwhitelist
package ipallowlist
import (
"context"
@ -12,27 +12,27 @@ import (
"github.com/traefik/traefik/v2/pkg/tcp"
)
func TestNewIPWhiteLister(t *testing.T) {
func TestNewIPAllowLister(t *testing.T) {
testCases := []struct {
desc string
whiteList dynamic.TCPIPWhiteList
allowList dynamic.TCPIPAllowList
expectedError bool
}{
{
desc: "Empty config",
whiteList: dynamic.TCPIPWhiteList{},
allowList: dynamic.TCPIPAllowList{},
expectedError: true,
},
{
desc: "invalid IP",
whiteList: dynamic.TCPIPWhiteList{
allowList: dynamic.TCPIPAllowList{
SourceRange: []string{"foo"},
},
expectedError: true,
},
{
desc: "valid IP",
whiteList: dynamic.TCPIPWhiteList{
allowList: dynamic.TCPIPAllowList{
SourceRange: []string{"10.10.10.10"},
},
},
@ -44,28 +44,28 @@ func TestNewIPWhiteLister(t *testing.T) {
t.Parallel()
next := tcp.HandlerFunc(func(conn tcp.WriteCloser) {})
whiteLister, err := New(context.Background(), next, test.whiteList, "traefikTest")
allowLister, err := New(context.Background(), next, test.allowList, "traefikTest")
if test.expectedError {
assert.Error(t, err)
} else {
require.NoError(t, err)
assert.NotNil(t, whiteLister)
assert.NotNil(t, allowLister)
}
})
}
}
func TestIPWhiteLister_ServeHTTP(t *testing.T) {
func TestIPAllowLister_ServeHTTP(t *testing.T) {
testCases := []struct {
desc string
whiteList dynamic.TCPIPWhiteList
allowList dynamic.TCPIPAllowList
remoteAddr string
expected string
}{
{
desc: "authorized with remote address",
whiteList: dynamic.TCPIPWhiteList{
allowList: dynamic.TCPIPAllowList{
SourceRange: []string{"20.20.20.20"},
},
remoteAddr: "20.20.20.20:1234",
@ -73,7 +73,7 @@ func TestIPWhiteLister_ServeHTTP(t *testing.T) {
},
{
desc: "non authorized with remote address",
whiteList: dynamic.TCPIPWhiteList{
allowList: dynamic.TCPIPAllowList{
SourceRange: []string{"20.20.20.20"},
},
remoteAddr: "20.20.20.21:1234",
@ -94,13 +94,13 @@ func TestIPWhiteLister_ServeHTTP(t *testing.T) {
require.NoError(t, err)
})
whiteLister, err := New(context.Background(), next, test.whiteList, "traefikTest")
allowLister, err := New(context.Background(), next, test.allowList, "traefikTest")
require.NoError(t, err)
server, client := net.Pipe()
go func() {
whiteLister.ServeTCP(&contextWriteCloser{client, addr{test.remoteAddr}})
allowLister.ServeTCP(&contextWriteCloser{client, addr{test.remoteAddr}})
}()
read, err := io.ReadAll(server)

4
pkg/provider/consulcatalog/config_test.go
View file

@ -2022,7 +2022,7 @@ func Test_buildConfiguration(t *testing.T) {
Name: "Test",
Labels: map[string]string{
"traefik.tcp.routers.Test.rule": "HostSNI(`foo.bar`)",
"traefik.tcp.middlewares.Middleware1.ipwhitelist.sourcerange": "foobar, fiibar",
"traefik.tcp.middlewares.Middleware1.ipallowlist.sourcerange": "foobar, fiibar",
"traefik.tcp.routers.Test.middlewares": "Middleware1",
},
Address: "127.0.0.1",
@ -2041,7 +2041,7 @@ func Test_buildConfiguration(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{
"Middleware1": {
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"foobar", "fiibar"},
},
},

4
pkg/provider/docker/config_test.go
View file

@ -2611,7 +2611,7 @@ func Test_buildConfiguration(t *testing.T) {
Name: "Test",
Labels: map[string]string{
"traefik.tcp.routers.Test.rule": "HostSNI(`foo.bar`)",
"traefik.tcp.middlewares.Middleware1.ipwhitelist.sourcerange": "foobar, fiibar",
"traefik.tcp.middlewares.Middleware1.ipallowlist.sourcerange": "foobar, fiibar",
"traefik.tcp.routers.Test.middlewares": "Middleware1",
},
NetworkSettings: networkSettings{
@ -2638,7 +2638,7 @@ func Test_buildConfiguration(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{
"Middleware1": {
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"foobar", "fiibar"},
},
},

4
pkg/provider/ecs/config_test.go
View file

@ -2333,7 +2333,7 @@ func Test_buildConfiguration(t *testing.T) {
name("Test"),
labels(map[string]string{
"traefik.tcp.routers.Test.rule": "HostSNI(`foo.bar`)",
"traefik.tcp.middlewares.Middleware1.ipwhitelist.sourcerange": "foobar, fiibar",
"traefik.tcp.middlewares.Middleware1.ipallowlist.sourcerange": "foobar, fiibar",
"traefik.tcp.routers.Test.middlewares": "Middleware1",
}),
iMachine(
@ -2356,7 +2356,7 @@ func Test_buildConfiguration(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{
"Middleware1": {
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"foobar", "fiibar"},
},
},

12
pkg/provider/kubernetes/crd/fixtures/tcp/with_middleware.yml
View file

@ -1,10 +1,10 @@
apiVersion: traefik.containo.us/v1alpha1
kind: MiddlewareTCP
metadata:
name: ipwhitelist
name: ipallowlist
namespace: default
spec:
ipWhiteList:
ipAllowList:
sourceRange:
- 127.0.0.1/32
@ -12,10 +12,10 @@ spec:
apiVersion: traefik.containo.us/v1alpha1
kind: MiddlewareTCP
metadata:
name: ipwhitelist
name: ipallowlist
namespace: foo
spec:
ipWhiteList:
ipAllowList:
sourceRange:
- 127.0.0.1/32
---
@ -36,6 +36,6 @@ spec:
port: 8000
middlewares:
- name: ipwhitelist
- name: ipwhitelist
- name: ipallowlist
- name: ipallowlist
namespace: foo

16
pkg/provider/kubernetes/crd/fixtures/tcp/with_middleware_crossprovider.yml
View file

@ -1,10 +1,10 @@
apiVersion: traefik.containo.us/v1alpha1
kind: MiddlewareTCP
metadata:
name: ipwhitelist
name: ipallowlist
namespace: default
spec:
ipWhiteList:
ipAllowList:
sourceRange:
- 127.0.0.1/32
@ -12,10 +12,10 @@ spec:
apiVersion: traefik.containo.us/v1alpha1
kind: MiddlewareTCP
metadata:
name: ipwhitelist
name: ipallowlist
namespace: foo
spec:
ipWhiteList:
ipAllowList:
sourceRange:
- 127.0.0.1/32
---
@ -36,9 +36,9 @@ spec:
port: 8000
middlewares:
- name: ipwhitelist
- name: ipwhitelist
- name: ipallowlist
- name: ipallowlist
namespace: foo
- name: ipwhitelist@file
- name: ipwhitelist-foo@file
- name: ipallowlist@file
- name: ipallowlist-foo@file
namespace: foo

2
pkg/provider/kubernetes/crd/fixtures/tcp/with_middleware_multiple_hyphens.yml
View file

@ -4,7 +4,7 @@ metadata:
name: multiple---hyphens
namespace: default
spec:
ipWhiteList:
ipAllowList:
sourceRange:
- 127.0.0.1/32

12
pkg/provider/kubernetes/crd/fixtures/tcp/with_middleware_with_cross_namespace.yml
View file

@ -1,10 +1,10 @@
apiVersion: traefik.containo.us/v1alpha1
kind: MiddlewareTCP
metadata:
name: ipwhitelist
name: ipallowlist
namespace: default
spec:
ipWhiteList:
ipAllowList:
sourceRange:
- 127.0.0.1/32
@ -12,10 +12,10 @@ spec:
apiVersion: traefik.containo.us/v1alpha1
kind: MiddlewareTCP
metadata:
name: ipwhitelist
name: ipallowlist
namespace: cross-ns
spec:
ipWhiteList:
ipAllowList:
sourceRange:
- 127.0.0.1/32
---
@ -36,7 +36,7 @@ spec:
port: 8000
middlewares:
- name: ipwhitelist
- name: ipallowlist
- match: HostSNI(`bar.com`)
services:
@ -44,5 +44,5 @@ spec:
port: 8000
middlewares:
- name: ipwhitelist
- name: ipallowlist
namespace: cross-ns

5
pkg/provider/kubernetes/crd/kubernetes.go
View file

@ -263,7 +263,7 @@ func (p *Provider) loadConfigurationFromCRD(ctx context.Context, client Client)
ReplacePath: middleware.Spec.ReplacePath,
ReplacePathRegex: middleware.Spec.ReplacePathRegex,
Chain: createChainMiddleware(ctxMid, middleware.Namespace, middleware.Spec.Chain),
IPWhiteList: middleware.Spec.IPWhiteList,
IPAllowList: middleware.Spec.IPAllowList,
Headers: middleware.Spec.Headers,
Errors: errorPage,
RateLimit: rateLimit,
@ -279,6 +279,7 @@ func (p *Provider) loadConfigurationFromCRD(ctx context.Context, client Client)
PassTLSClientCert: middleware.Spec.PassTLSClientCert,
Retry: retry,
ContentType: middleware.Spec.ContentType,
GrpcWeb: middleware.Spec.GrpcWeb,
Plugin: plugin,
}
}
@ -288,7 +289,7 @@ func (p *Provider) loadConfigurationFromCRD(ctx context.Context, client Client)
conf.TCP.Middlewares[id] = &dynamic.TCPMiddleware{
InFlightConn: middlewareTCP.Spec.InFlightConn,
IPWhiteList: middlewareTCP.Spec.IPWhiteList,
IPAllowList: middlewareTCP.Spec.IPAllowList,
}
}

44
pkg/provider/kubernetes/crd/kubernetes_test.go
View file

@ -119,18 +119,18 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
"default-test.route-fdd3e9338e47a45efefc": {
EntryPoints: []string{"foo"},
Service: "default-test.route-fdd3e9338e47a45efefc",
Middlewares: []string{"default-ipwhitelist", "foo-ipwhitelist"},
Middlewares: []string{"default-ipallowlist", "foo-ipallowlist"},
Rule: "HostSNI(`foo.com`)",
},
},
Middlewares: map[string]*dynamic.TCPMiddleware{
"default-ipwhitelist": {
IPWhiteList: &dynamic.TCPIPWhiteList{
"default-ipallowlist": {
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
"foo-ipwhitelist": {
IPWhiteList: &dynamic.TCPIPWhiteList{
"foo-ipallowlist": {
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
@ -178,7 +178,7 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{
"default-multiple-hyphens": {
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
@ -220,18 +220,18 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
"default-test.route-fdd3e9338e47a45efefc": {
EntryPoints: []string{"foo"},
Service: "default-test.route-fdd3e9338e47a45efefc",
Middlewares: []string{"default-ipwhitelist", "foo-ipwhitelist", "ipwhitelist@file", "ipwhitelist-foo@file"},
Middlewares: []string{"default-ipallowlist", "foo-ipallowlist", "ipallowlist@file", "ipallowlist-foo@file"},
Rule: "HostSNI(`foo.com`)",
},
},
Middlewares: map[string]*dynamic.TCPMiddleware{
"default-ipwhitelist": {
IPWhiteList: &dynamic.TCPIPWhiteList{
"default-ipallowlist": {
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
"foo-ipwhitelist": {
IPWhiteList: &dynamic.TCPIPWhiteList{
"foo-ipallowlist": {
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
@ -5459,18 +5459,18 @@ func TestCrossNamespace(t *testing.T) {
"default-test.route-fdd3e9338e47a45efefc": {
EntryPoints: []string{"foo"},
Service: "default-test.route-fdd3e9338e47a45efefc",
Middlewares: []string{"default-ipwhitelist"},
Middlewares: []string{"default-ipallowlist"},
Rule: "HostSNI(`foo.com`)",
},
},
Middlewares: map[string]*dynamic.TCPMiddleware{
"default-ipwhitelist": {
IPWhiteList: &dynamic.TCPIPWhiteList{
"default-ipallowlist": {
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
"cross-ns-ipwhitelist": {
IPWhiteList: &dynamic.TCPIPWhiteList{
"cross-ns-ipallowlist": {
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
@ -5513,24 +5513,24 @@ func TestCrossNamespace(t *testing.T) {
"default-test.route-fdd3e9338e47a45efefc": {
EntryPoints: []string{"foo"},
Service: "default-test.route-fdd3e9338e47a45efefc",
Middlewares: []string{"default-ipwhitelist"},
Middlewares: []string{"default-ipallowlist"},
Rule: "HostSNI(`foo.com`)",
},
"default-test.route-f44ce589164e656d231c": {
EntryPoints: []string{"foo"},
Service: "default-test.route-f44ce589164e656d231c",
Middlewares: []string{"cross-ns-ipwhitelist"},
Middlewares: []string{"cross-ns-ipallowlist"},
Rule: "HostSNI(`bar.com`)",
},
},
Middlewares: map[string]*dynamic.TCPMiddleware{
"default-ipwhitelist": {
IPWhiteList: &dynamic.TCPIPWhiteList{
"default-ipallowlist": {
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
"cross-ns-ipwhitelist": {
IPWhiteList: &dynamic.TCPIPWhiteList{
"cross-ns-ipallowlist": {
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},

3
pkg/provider/kubernetes/crd/traefik/v1alpha1/middleware.go
View file

@ -32,7 +32,7 @@ type MiddlewareSpec struct {
ReplacePath *dynamic.ReplacePath `json:"replacePath,omitempty"`
ReplacePathRegex *dynamic.ReplacePathRegex `json:"replacePathRegex,omitempty"`
Chain *Chain `json:"chain,omitempty"`
IPWhiteList *dynamic.IPWhiteList `json:"ipWhiteList,omitempty"`
IPAllowList *dynamic.IPAllowList `json:"ipAllowList,omitempty"`
Headers *dynamic.Headers `json:"headers,omitempty"`
Errors *ErrorPage `json:"errors,omitempty"`
RateLimit *RateLimit `json:"rateLimit,omitempty"`
@ -48,6 +48,7 @@ type MiddlewareSpec struct {
PassTLSClientCert *dynamic.PassTLSClientCert `json:"passTLSClientCert,omitempty"`
Retry *Retry `json:"retry,omitempty"`
ContentType *dynamic.ContentType `json:"contentType,omitempty"`
GrpcWeb *dynamic.GrpcWeb `json:"grpcWeb,omitempty"`
// Plugin defines the middleware plugin configuration.
// More info: https://doc.traefik.io/traefik/plugins/
Plugin map[string]apiextensionv1.JSON `json:"plugin,omitempty"`

4
pkg/provider/kubernetes/crd/traefik/v1alpha1/middlewaretcp.go
View file

@ -25,8 +25,8 @@ type MiddlewareTCP struct {
type MiddlewareTCPSpec struct {
// InFlightConn defines the InFlightConn middleware configuration.
InFlightConn *dynamic.TCPInFlightConn `json:"inFlightConn,omitempty"`
// IPWhiteList defines the IPWhiteList middleware configuration.
IPWhiteList *dynamic.TCPIPWhiteList `json:"ipWhiteList,omitempty"`
// IPAllowList defines the IPAllowList middleware configuration.
IPAllowList *dynamic.TCPIPAllowList `json:"ipAllowList,omitempty"`
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

17
pkg/provider/kubernetes/crd/traefik/v1alpha1/zz_generated.deepcopy.go
View file

@ -689,9 +689,9 @@ func (in *MiddlewareSpec) DeepCopyInto(out *MiddlewareSpec) {
*out = new(Chain)
(*in).DeepCopyInto(*out)
}
if in.IPWhiteList != nil {
in, out := &in.IPWhiteList, &out.IPWhiteList
*out = new(dynamic.IPWhiteList)
if in.IPAllowList != nil {
in, out := &in.IPAllowList, &out.IPAllowList
*out = new(dynamic.IPAllowList)
(*in).DeepCopyInto(*out)
}
if in.Headers != nil {
@ -769,6 +769,11 @@ func (in *MiddlewareSpec) DeepCopyInto(out *MiddlewareSpec) {
*out = new(dynamic.ContentType)
**out = **in
}
if in.GrpcWeb != nil {
in, out := &in.GrpcWeb, &out.GrpcWeb
*out = new(dynamic.GrpcWeb)
(*in).DeepCopyInto(*out)
}
if in.Plugin != nil {
in, out := &in.Plugin, &out.Plugin
*out = make(map[string]v1.JSON, len(*in))
@ -857,9 +862,9 @@ func (in *MiddlewareTCPSpec) DeepCopyInto(out *MiddlewareTCPSpec) {
*out = new(dynamic.TCPInFlightConn)
**out = **in
}
if in.IPWhiteList != nil {
in, out := &in.IPWhiteList, &out.IPWhiteList
*out = new(dynamic.TCPIPWhiteList)
if in.IPAllowList != nil {
in, out := &in.IPAllowList, &out.IPAllowList
*out = new(dynamic.TCPIPAllowList)
(*in).DeepCopyInto(*out)
}
return

12
pkg/provider/kv/kv_test.go
View file

@ -140,11 +140,11 @@ func Test_buildConfiguration(t *testing.T) {
"traefik/http/middlewares/Middleware09/headers/customRequestHeaders/name0": "foobar",
"traefik/http/middlewares/Middleware09/headers/customRequestHeaders/name1": "foobar",
"traefik/http/middlewares/Middleware09/headers/browserXssFilter": "true",
"traefik/http/middlewares/Middleware10/ipWhiteList/sourceRange/0": "foobar",
"traefik/http/middlewares/Middleware10/ipWhiteList/sourceRange/1": "foobar",
"traefik/http/middlewares/Middleware10/ipWhiteList/ipStrategy/excludedIPs/0": "foobar",
"traefik/http/middlewares/Middleware10/ipWhiteList/ipStrategy/excludedIPs/1": "foobar",
"traefik/http/middlewares/Middleware10/ipWhiteList/ipStrategy/depth": "42",
"traefik/http/middlewares/Middleware10/ipAllowList/sourceRange/0": "foobar",
"traefik/http/middlewares/Middleware10/ipAllowList/sourceRange/1": "foobar",
"traefik/http/middlewares/Middleware10/ipAllowList/ipStrategy/excludedIPs/0": "foobar",
"traefik/http/middlewares/Middleware10/ipAllowList/ipStrategy/excludedIPs/1": "foobar",
"traefik/http/middlewares/Middleware10/ipAllowList/ipStrategy/depth": "42",
"traefik/http/middlewares/Middleware11/inFlightReq/amount": "42",
"traefik/http/middlewares/Middleware11/inFlightReq/sourceCriterion/requestHost": "true",
"traefik/http/middlewares/Middleware11/inFlightReq/sourceCriterion/ipStrategy/depth": "42",
@ -340,7 +340,7 @@ func Test_buildConfiguration(t *testing.T) {
},
Middlewares: map[string]*dynamic.Middleware{
"Middleware10": {
IPWhiteList: &dynamic.IPWhiteList{
IPAllowList: &dynamic.IPAllowList{
SourceRange: []string{
"foobar",
"foobar",

6
pkg/provider/marathon/config_test.go
View file

@ -196,14 +196,14 @@ func TestBuildConfiguration(t *testing.T) {
},
},
{
desc: "TCP with IP whitelist",
desc: "TCP with IP allowlist",
applications: withApplications(
application(
appID("/app"),
appPorts(80),
withLabel("traefik.tcp.routers.Test.rule", "HostSNI(`foo.bar`)"),
withLabel("traefik.tcp.middlewares.Middleware1.ipwhitelist.sourcerange", "foobar, fiibar"),
withLabel("traefik.tcp.middlewares.Middleware1.ipallowlist.sourcerange", "foobar, fiibar"),
withLabel("traefik.tcp.routers.Test.middlewares", "Middleware1"),
withTasks(localhostTask(taskPorts(80))),
)),
@ -218,7 +218,7 @@ func TestBuildConfiguration(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{
"Middleware1": {
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"foobar", "fiibar"},
},
},

4
pkg/provider/nomad/config_test.go
View file

@ -1621,7 +1621,7 @@ func Test_buildConfig(t *testing.T) {
Name: "Test",
Tags: []string{
"traefik.tcp.routers.Test.rule = HostSNI(`foo.bar`)",
"traefik.tcp.middlewares.Middleware1.ipwhitelist.sourcerange = foobar, fiibar",
"traefik.tcp.middlewares.Middleware1.ipallowlist.sourcerange = foobar, fiibar",
"traefik.tcp.routers.Test.middlewares = Middleware1",
},
Address: "127.0.0.1",
@ -1640,7 +1640,7 @@ func Test_buildConfig(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{
"Middleware1": {
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"foobar", "fiibar"},
},
},

4
pkg/provider/rancher/config_test.go
View file

@ -508,7 +508,7 @@ func Test_buildConfiguration(t *testing.T) {
Name: "Test",
Labels: map[string]string{
"traefik.tcp.routers.Test.rule": "HostSNI(`foo.bar`)",
"traefik.tcp.middlewares.Middleware1.ipwhitelist.sourcerange": "foobar, fiibar",
"traefik.tcp.middlewares.Middleware1.ipallowlist.sourcerange": "foobar, fiibar",
"traefik.tcp.routers.Test.middlewares": "Middleware1",
},
Port: "80/tcp",
@ -528,7 +528,7 @@ func Test_buildConfiguration(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{
"Middleware1": {
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"foobar", "fiibar"},
},
},

2
pkg/redactor/redactor_config_test.go
View file

@ -191,7 +191,7 @@ func init() {
Chain: &dynamic.Chain{
Middlewares: []string{"foo"},
},
IPWhiteList: &dynamic.IPWhiteList{
IPAllowList: &dynamic.IPAllowList{
SourceRange: []string{"foo"},
IPStrategy: &dynamic.IPStrategy{
Depth: 42,

4
pkg/redactor/testdata/anonymized-dynamic-config.json vendored
View file

@ -119,7 +119,7 @@
"foo"
]
},
"ipWhiteList": {
"ipAllowList": {
"sourceRange": [
"xxxx"
],
@ -478,4 +478,4 @@
}
}
}
}
}

4
pkg/redactor/testdata/secured-dynamic-config.json vendored
View file

@ -119,7 +119,7 @@
"foo"
]
},
"ipWhiteList": {
"ipAllowList": {
"sourceRange": [
"foo"
],
@ -483,4 +483,4 @@
}
}
}
}
}

8
pkg/server/middleware/chainbuilder.go
View file

@ -18,16 +18,14 @@ type ChainBuilder struct {
metricsRegistry metrics.Registry
accessLoggerMiddleware *accesslog.Handler
tracer *tracing.Tracing
captureMiddleware *capture.Handler
}
// NewChainBuilder Creates a new ChainBuilder.
func NewChainBuilder(metricsRegistry metrics.Registry, accessLoggerMiddleware *accesslog.Handler, tracer *tracing.Tracing, captureMiddleware *capture.Handler) *ChainBuilder {
func NewChainBuilder(metricsRegistry metrics.Registry, accessLoggerMiddleware *accesslog.Handler, tracer *tracing.Tracing) *ChainBuilder {
return &ChainBuilder{
metricsRegistry: metricsRegistry,
accessLoggerMiddleware: accessLoggerMiddleware,
tracer: tracer,
captureMiddleware: captureMiddleware,
}
}
@ -35,8 +33,8 @@ func NewChainBuilder(metricsRegistry metrics.Registry, accessLoggerMiddleware *a
func (c *ChainBuilder) Build(ctx context.Context, entryPointName string) alice.Chain {
chain := alice.New()
if c.captureMiddleware != nil {
chain = chain.Append(capture.WrapHandler(c.captureMiddleware))
if c.accessLoggerMiddleware != nil || c.metricsRegistry != nil && (c.metricsRegistry.IsEpEnabled() || c.metricsRegistry.IsRouterEnabled() || c.metricsRegistry.IsSvcEnabled()) {
chain = chain.Append(capture.Wrap)
}
if c.accessLoggerMiddleware != nil {

19
pkg/server/middleware/middlewares.go
View file

@ -17,9 +17,10 @@ import (
"github.com/traefik/traefik/v2/pkg/middlewares/circuitbreaker"
"github.com/traefik/traefik/v2/pkg/middlewares/compress"
"github.com/traefik/traefik/v2/pkg/middlewares/customerrors"
"github.com/traefik/traefik/v2/pkg/middlewares/grpcweb"
"github.com/traefik/traefik/v2/pkg/middlewares/headers"
"github.com/traefik/traefik/v2/pkg/middlewares/inflightreq"
"github.com/traefik/traefik/v2/pkg/middlewares/ipwhitelist"
"github.com/traefik/traefik/v2/pkg/middlewares/ipallowlist"
"github.com/traefik/traefik/v2/pkg/middlewares/passtlsclientcert"
"github.com/traefik/traefik/v2/pkg/middlewares/ratelimiter"
"github.com/traefik/traefik/v2/pkg/middlewares/redirect"
@ -219,6 +220,16 @@ func (b *Builder) buildConstructor(ctx context.Context, middlewareName string) (
}
}
// GrpcWeb
if config.GrpcWeb != nil {
if middleware != nil {
return nil, badConf
}
middleware = func(next http.Handler) (http.Handler, error) {
return grpcweb.New(ctx, next, *config.GrpcWeb, middlewareName), nil
}
}
// Headers
if config.Headers != nil {
if middleware != nil {
@ -229,13 +240,13 @@ func (b *Builder) buildConstructor(ctx context.Context, middlewareName string) (
}
}
// IPWhiteList
if config.IPWhiteList != nil {
// IPAllowList
if config.IPAllowList != nil {
if middleware != nil {
return nil, badConf
}
middleware = func(next http.Handler) (http.Handler, error) {
return ipwhitelist.New(ctx, next, *config.IPWhiteList, middlewareName)
return ipallowlist.New(ctx, next, *config.IPAllowList, middlewareName)
}
}

10
pkg/server/middleware/tcp/middlewares.go
View file

@ -6,8 +6,8 @@ import (
"strings"
"github.com/traefik/traefik/v2/pkg/config/runtime"
inflightconn "github.com/traefik/traefik/v2/pkg/middlewares/tcp/inflightconn"
ipwhitelist "github.com/traefik/traefik/v2/pkg/middlewares/tcp/ipwhitelist"
"github.com/traefik/traefik/v2/pkg/middlewares/tcp/inflightconn"
"github.com/traefik/traefik/v2/pkg/middlewares/tcp/ipallowlist"
"github.com/traefik/traefik/v2/pkg/server/provider"
"github.com/traefik/traefik/v2/pkg/tcp"
)
@ -94,10 +94,10 @@ func (b *Builder) buildConstructor(ctx context.Context, middlewareName string) (
}
}
// IPWhiteList
if config.IPWhiteList != nil {
// IPAllowList
if config.IPAllowList != nil {
middleware = func(next tcp.Handler) (tcp.Handler, error) {
return ipwhitelist.New(ctx, next, *config.IPWhiteList, middlewareName)
return ipallowlist.New(ctx, next, *config.IPAllowList, middlewareName)
}
}

12
pkg/server/router/router_test.go
View file

@ -316,7 +316,7 @@ func TestRouterManager_Get(t *testing.T) {
roundTripperManager.Update(map[string]*dynamic.ServersTransport{"default@internal": {}})
serviceManager := service.NewManager(rtConf.Services, nil, nil, roundTripperManager)
middlewaresBuilder := middleware.NewBuilder(rtConf.Middlewares, serviceManager, nil)
chainBuilder := middleware.NewChainBuilder(nil, nil, nil, nil)
chainBuilder := middleware.NewChainBuilder(nil, nil, nil)
routerManager := NewManager(rtConf, serviceManager, middlewaresBuilder, chainBuilder, metrics.NewVoidRegistry())
@ -422,7 +422,7 @@ func TestAccessLog(t *testing.T) {
roundTripperManager.Update(map[string]*dynamic.ServersTransport{"default@internal": {}})
serviceManager := service.NewManager(rtConf.Services, nil, nil, roundTripperManager)
middlewaresBuilder := middleware.NewBuilder(rtConf.Middlewares, serviceManager, nil)
chainBuilder := middleware.NewChainBuilder(nil, nil, nil, nil)
chainBuilder := middleware.NewChainBuilder(nil, nil, nil)
routerManager := NewManager(rtConf, serviceManager, middlewaresBuilder, chainBuilder, metrics.NewVoidRegistry())
@ -439,7 +439,7 @@ func TestAccessLog(t *testing.T) {
reqHost := requestdecorator.New(nil)
chain := alice.New()
chain = chain.Append(capture.WrapHandler(&capture.Handler{}))
chain = chain.Append(capture.Wrap)
chain = chain.Append(accesslog.WrapHandler(accesslogger))
handler, err := chain.Then(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
reqHost.ServeHTTP(w, req, handlers["web"].ServeHTTP)
@ -717,7 +717,7 @@ func TestRuntimeConfiguration(t *testing.T) {
roundTripperManager.Update(map[string]*dynamic.ServersTransport{"default@internal": {}})
serviceManager := service.NewManager(rtConf.Services, nil, nil, roundTripperManager)
middlewaresBuilder := middleware.NewBuilder(rtConf.Middlewares, serviceManager, nil)
chainBuilder := middleware.NewChainBuilder(nil, nil, nil, nil)
chainBuilder := middleware.NewChainBuilder(nil, nil, nil)
routerManager := NewManager(rtConf, serviceManager, middlewaresBuilder, chainBuilder, metrics.NewVoidRegistry())
@ -792,7 +792,7 @@ func TestProviderOnMiddlewares(t *testing.T) {
roundTripperManager.Update(map[string]*dynamic.ServersTransport{"default@internal": {}})
serviceManager := service.NewManager(rtConf.Services, nil, nil, roundTripperManager)
middlewaresBuilder := middleware.NewBuilder(rtConf.Middlewares, serviceManager, nil)
chainBuilder := middleware.NewChainBuilder(nil, nil, nil, nil)
chainBuilder := middleware.NewChainBuilder(nil, nil, nil)
routerManager := NewManager(rtConf, serviceManager, middlewaresBuilder, chainBuilder, metrics.NewVoidRegistry())
@ -860,7 +860,7 @@ func BenchmarkRouterServe(b *testing.B) {
serviceManager := service.NewManager(rtConf.Services, nil, nil, staticRoundTripperGetter{res})
middlewaresBuilder := middleware.NewBuilder(rtConf.Middlewares, serviceManager, nil)
chainBuilder := middleware.NewChainBuilder(nil, nil, nil, nil)
chainBuilder := middleware.NewChainBuilder(nil, nil, nil)
routerManager := NewManager(rtConf, serviceManager, middlewaresBuilder, chainBuilder, metrics.NewVoidRegistry())

6
pkg/server/routerfactory_test.go
View file

@ -53,7 +53,7 @@ func TestReuseService(t *testing.T) {
managerFactory := service.NewManagerFactory(staticConfig, nil, metrics.NewVoidRegistry(), roundTripperManager, nil)
tlsManager := tls.NewManager()
factory := NewRouterFactory(staticConfig, managerFactory, tlsManager, middleware.NewChainBuilder(nil, nil, nil, nil), nil, metrics.NewVoidRegistry())
factory := NewRouterFactory(staticConfig, managerFactory, tlsManager, middleware.NewChainBuilder(nil, nil, nil), nil, metrics.NewVoidRegistry())
entryPointsHandlers, _ := factory.CreateRouters(runtime.NewConfig(dynamic.Configuration{HTTP: dynamicConfigs}))
@ -189,7 +189,7 @@ func TestServerResponseEmptyBackend(t *testing.T) {
managerFactory := service.NewManagerFactory(staticConfig, nil, metrics.NewVoidRegistry(), roundTripperManager, nil)
tlsManager := tls.NewManager()
factory := NewRouterFactory(staticConfig, managerFactory, tlsManager, middleware.NewChainBuilder(nil, nil, nil, nil), nil, metrics.NewVoidRegistry())
factory := NewRouterFactory(staticConfig, managerFactory, tlsManager, middleware.NewChainBuilder(nil, nil, nil), nil, metrics.NewVoidRegistry())
entryPointsHandlers, _ := factory.CreateRouters(runtime.NewConfig(dynamic.Configuration{HTTP: test.config(testServer.URL)}))
@ -232,7 +232,7 @@ func TestInternalServices(t *testing.T) {
voidRegistry := metrics.NewVoidRegistry()
factory := NewRouterFactory(staticConfig, managerFactory, tlsManager, middleware.NewChainBuilder(voidRegistry, nil, nil, nil), nil, voidRegistry)
factory := NewRouterFactory(staticConfig, managerFactory, tlsManager, middleware.NewChainBuilder(voidRegistry, nil, nil), nil, voidRegistry)
entryPointsHandlers, _ := factory.CreateRouters(runtime.NewConfig(dynamic.Configuration{HTTP: dynamicConfigs}))

6
pkg/server/service/proxy_websocket_test.go
View file

@ -593,9 +593,11 @@ func TestWebSocketTransferTLSConfig(t *testing.T) {
require.NoError(t, err)
assert.Equal(t, "ok", resp)
http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
// Don't alter default transport to prevent side effects on other tests.
defaultTransport := http.DefaultTransport.(*http.Transport).Clone()
defaultTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
forwarderWithTLSConfigFromDefaultTransport, err := buildProxy(Bool(true), nil, http.DefaultTransport, nil)
forwarderWithTLSConfigFromDefaultTransport, err := buildProxy(Bool(true), nil, defaultTransport, nil)
require.NoError(t, err)
proxyWithTLSConfigFromDefaultTransport := createProxyWithForwarder(t, forwarderWithTLSConfigFromDefaultTransport, srv.URL)

34
pkg/server/service/roundtripper_test.go
View file

@ -283,11 +283,11 @@ func TestSpiffeMTLS(t *testing.T) {
}
testCases := []struct {
desc string
config dynamic.Spiffe
clientSource SpiffeX509Source
wantStatusCode int
wantErrorMessage string
desc string
config dynamic.Spiffe
clientSource SpiffeX509Source
wantStatusCode int
wantError bool
}{
{
desc: "supports SPIFFE mTLS",
@ -308,8 +308,8 @@ func TestSpiffeMTLS(t *testing.T) {
config: dynamic.Spiffe{
IDs: []string{"spiffe://traefik.test/not-server"},
},
clientSource: &clientSource,
wantErrorMessage: `unexpected ID "spiffe://traefik.test/server"`,
clientSource: &clientSource,
wantError: true,
},
{
desc: "allows expected server trust domain",
@ -324,8 +324,8 @@ func TestSpiffeMTLS(t *testing.T) {
config: dynamic.Spiffe{
TrustDomain: "spiffe://not-traefik.test",
},
clientSource: &clientSource,
wantErrorMessage: `unexpected trust domain "traefik.test"`,
clientSource: &clientSource,
wantError: true,
},
{
desc: "spiffe IDs allowlist takes precedence",
@ -333,14 +333,14 @@ func TestSpiffeMTLS(t *testing.T) {
IDs: []string{"spiffe://traefik.test/not-server"},
TrustDomain: "spiffe://not-traefik.test",
},
clientSource: &clientSource,
wantErrorMessage: `unexpected ID "spiffe://traefik.test/server"`,
clientSource: &clientSource,
wantError: true,
},
{
desc: "raises an error when spiffe is enabled on the transport but no workloadapi address is given",
config: dynamic.Spiffe{},
clientSource: nil,
wantErrorMessage: `remote error: tls: bad certificate`,
desc: "raises an error when spiffe is enabled on the transport but no workloadapi address is given",
config: dynamic.Spiffe{},
clientSource: nil,
wantError: true,
},
}
@ -362,8 +362,8 @@ func TestSpiffeMTLS(t *testing.T) {
client := http.Client{Transport: tr}
resp, err := client.Get(srv.URL)
if test.wantErrorMessage != "" {
assert.ErrorContains(t, err, test.wantErrorMessage)
if test.wantError {
require.Error(t, err)
return
}

6
script/gcg/traefik-bugfix.toml
View file

@ -4,11 +4,11 @@ RepositoryName = "traefik"
OutputType = "file"
FileName = "traefik_changelog.md"
# example new bugfix v2.9.1
# example new bugfix v2.9.2
CurrentRef = "v2.9"
PreviousRef = "v2.9.0"
PreviousRef = "v2.9.1"
BaseBranch = "v2.9"
FutureCurrentRefName = "v2.9.0"
FutureCurrentRefName = "v2.9.2"
ThresholdPreviousRef = 10
ThresholdCurrentRef = 10

12
webui/src/components/_commons/PanelMiddlewares.vue
View file

@ -675,8 +675,8 @@
</div>
</q-card-section>
<!-- EXTRA FIELDS FROM MIDDLEWARES - [ipWhiteList] - sourceRange -->
<q-card-section v-if="middleware.ipWhiteList">
<!-- EXTRA FIELDS FROM MIDDLEWARES - [ipAllowList] - sourceRange -->
<q-card-section v-if="middleware.ipAllowList">
<div class="row items-start no-wrap">
<div class="col">
<div class="text-subtitle2">Source Range</div>
@ -689,8 +689,8 @@
</div>
</div>
</q-card-section>
<!-- EXTRA FIELDS FROM MIDDLEWARES - [ipWhiteList] - ipStrategy -->
<q-card-section v-if="middleware.ipWhiteList">
<!-- EXTRA FIELDS FROM MIDDLEWARES - [ipAllowList] - ipStrategy -->
<q-card-section v-if="middleware.ipAllowList">
<div class="row items-start">
<div class="col-12">
<div class="text-subtitle2">IP Strategy</div>
@ -1076,8 +1076,8 @@
</q-card-section>
<q-card-section v-if="protocol === 'tcp'">
<!-- EXTRA FIELDS FROM MIDDLEWARES - [ipWhiteList] - sourceRange -->
<q-card-section v-if="middleware.ipWhiteList">
<!-- EXTRA FIELDS FROM MIDDLEWARES - [ipAllowList] - sourceRange -->
<q-card-section v-if="middleware.ipAllowList">
<div class="row items-start no-wrap">
<div class="col">
<div class="text-subtitle2">Source Range</div>