package configuration import ( "crypto/tls" "fmt" "io/ioutil" "os" "strings" "time" "github.com/containous/flaeg" "github.com/containous/traefik/acme" "github.com/containous/traefik/log" "github.com/containous/traefik/provider/boltdb" "github.com/containous/traefik/provider/consul" "github.com/containous/traefik/provider/docker" "github.com/containous/traefik/provider/dynamodb" "github.com/containous/traefik/provider/ecs" "github.com/containous/traefik/provider/etcd" "github.com/containous/traefik/provider/eureka" "github.com/containous/traefik/provider/file" "github.com/containous/traefik/provider/kubernetes" "github.com/containous/traefik/provider/marathon" "github.com/containous/traefik/provider/mesos" "github.com/containous/traefik/provider/rancher" "github.com/containous/traefik/provider/web" "github.com/containous/traefik/provider/zk" "github.com/containous/traefik/types" ) const ( // DefaultHealthCheckInterval is the default health check interval. DefaultHealthCheckInterval = 30 * time.Second // DefaultDialTimeout when connecting to a backend server. DefaultDialTimeout = 30 * time.Second // DefaultIdleTimeout before closing an idle connection. DefaultIdleTimeout = 180 * time.Second ) // GlobalConfiguration holds global configuration (with providers, etc.). // It's populated from the traefik configuration file passed as an argument to the binary. type GlobalConfiguration struct { GraceTimeOut flaeg.Duration `short:"g" description:"Duration to give active requests a chance to finish before Traefik stops" export:"true"` Debug bool `short:"d" description:"Enable debug mode" export:"true"` CheckNewVersion bool `description:"Periodically check if a new version has been released" export:"true"` AccessLogsFile string `description:"(Deprecated) Access logs file" export:"true"` // Deprecated AccessLog *types.AccessLog `description:"Access log settings" export:"true"` TraefikLogsFile string `description:"Traefik logs file. Stdout is used when omitted or empty" export:"true"` LogLevel string `short:"l" description:"Log level" export:"true"` EntryPoints EntryPoints `description:"Entrypoints definition using format: --entryPoints='Name:http Address::8000 Redirect.EntryPoint:https' --entryPoints='Name:https Address::4442 TLS:tests/traefik.crt,tests/traefik.key;prod/traefik.crt,prod/traefik.key'" export:"true"` Cluster *types.Cluster `description:"Enable clustering" export:"true"` Constraints types.Constraints `description:"Filter services by constraint, matching with service tags" export:"true"` ACME *acme.ACME `description:"Enable ACME (Let's Encrypt): automatic SSL" export:"true"` DefaultEntryPoints DefaultEntryPoints `description:"Entrypoints to be used by frontends that do not specify any entrypoint" export:"true"` ProvidersThrottleDuration flaeg.Duration `description:"Backends throttle duration: minimum duration between 2 events from providers before applying a new configuration. It avoids unnecessary reloads if multiples events are sent in a short amount of time." export:"true"` MaxIdleConnsPerHost int `description:"If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used" export:"true"` IdleTimeout flaeg.Duration `description:"(Deprecated) maximum amount of time an idle (keep-alive) connection will remain idle before closing itself." export:"true"` // Deprecated InsecureSkipVerify bool `description:"Disable SSL certificate verification" export:"true"` RootCAs RootCAs `description:"Add cert file for self-signed certificate"` Retry *Retry `description:"Enable retry sending request if network error" export:"true"` HealthCheck *HealthCheckConfig `description:"Health check parameters" export:"true"` RespondingTimeouts *RespondingTimeouts `description:"Timeouts for incoming requests to the Traefik instance" export:"true"` ForwardingTimeouts *ForwardingTimeouts `description:"Timeouts for requests forwarded to the backend servers" export:"true"` Docker *docker.Provider `description:"Enable Docker backend with default settings" export:"true"` File *file.Provider `description:"Enable File backend with default settings" export:"true"` Web *web.Provider `description:"Enable Web backend with default settings" export:"true"` Marathon *marathon.Provider `description:"Enable Marathon backend with default settings" export:"true"` Consul *consul.Provider `description:"Enable Consul backend with default settings" export:"true"` ConsulCatalog *consul.CatalogProvider `description:"Enable Consul catalog backend with default settings" export:"true"` Etcd *etcd.Provider `description:"Enable Etcd backend with default settings" export:"true"` Zookeeper *zk.Provider `description:"Enable Zookeeper backend with default settings" export:"true"` Boltdb *boltdb.Provider `description:"Enable Boltdb backend with default settings" export:"true"` Kubernetes *kubernetes.Provider `description:"Enable Kubernetes backend with default settings" export:"true"` Mesos *mesos.Provider `description:"Enable Mesos backend with default settings" export:"true"` Eureka *eureka.Provider `description:"Enable Eureka backend with default settings" export:"true"` ECS *ecs.Provider `description:"Enable ECS backend with default settings" export:"true"` Rancher *rancher.Provider `description:"Enable Rancher backend with default settings" export:"true"` DynamoDB *dynamodb.Provider `description:"Enable DynamoDB backend with default settings" export:"true"` } // SetEffectiveConfiguration adds missing configuration parameters derived from existing ones. // It also takes care of maintaining backwards compatibility. func (gc *GlobalConfiguration) SetEffectiveConfiguration() { if len(gc.EntryPoints) == 0 { gc.EntryPoints = map[string]*EntryPoint{"http": { Address: ":80", ForwardedHeaders: &ForwardedHeaders{Insecure: true}, }} gc.DefaultEntryPoints = []string{"http"} } // ForwardedHeaders must be remove in the next breaking version for entryPointName := range gc.EntryPoints { entryPoint := gc.EntryPoints[entryPointName] if entryPoint.ForwardedHeaders == nil { entryPoint.ForwardedHeaders = &ForwardedHeaders{Insecure: true} } } if gc.Rancher != nil { // Ensure backwards compatibility for now if len(gc.Rancher.AccessKey) > 0 || len(gc.Rancher.Endpoint) > 0 || len(gc.Rancher.SecretKey) > 0 { if gc.Rancher.API == nil { gc.Rancher.API = &rancher.APIConfiguration{ AccessKey: gc.Rancher.AccessKey, SecretKey: gc.Rancher.SecretKey, Endpoint: gc.Rancher.Endpoint, } } log.Warn("Deprecated configuration found: rancher.[accesskey|secretkey|endpoint]. " + "Please use rancher.api.[accesskey|secretkey|endpoint] instead.") } if gc.Rancher.Metadata != nil && len(gc.Rancher.Metadata.Prefix) == 0 { gc.Rancher.Metadata.Prefix = "latest" } } if gc.Debug { gc.LogLevel = "DEBUG" } if gc.Web != nil && (gc.Web.Path == "" || !strings.HasSuffix(gc.Web.Path, "/")) { gc.Web.Path += "/" } } // DefaultEntryPoints holds default entry points type DefaultEntryPoints []string // String is the method to format the flag's value, part of the flag.Value interface. // The String method's output will be used in diagnostics. func (dep *DefaultEntryPoints) String() string { return strings.Join(*dep, ",") } // Set is the method to set the flag value, part of the flag.Value interface. // Set's argument is a string to be parsed to set the flag. // It's a comma-separated list, so we split it. func (dep *DefaultEntryPoints) Set(value string) error { entrypoints := strings.Split(value, ",") if len(entrypoints) == 0 { return fmt.Errorf("bad DefaultEntryPoints format: %s", value) } for _, entrypoint := range entrypoints { *dep = append(*dep, entrypoint) } return nil } // Get return the EntryPoints map func (dep *DefaultEntryPoints) Get() interface{} { return DefaultEntryPoints(*dep) } // SetValue sets the EntryPoints map with val func (dep *DefaultEntryPoints) SetValue(val interface{}) { *dep = DefaultEntryPoints(val.(DefaultEntryPoints)) } // Type is type of the struct func (dep *DefaultEntryPoints) Type() string { return "defaultentrypoints" } // RootCAs hold the CA we want to have in root type RootCAs []FileOrContent // FileOrContent hold a file path or content type FileOrContent string func (f FileOrContent) String() string { return string(f) } func (f FileOrContent) Read() ([]byte, error) { var content []byte if _, err := os.Stat(f.String()); err == nil { content, err = ioutil.ReadFile(f.String()) if err != nil { return nil, err } } else { content = []byte(f) } return content, nil } // String is the method to format the flag's value, part of the flag.Value interface. // The String method's output will be used in diagnostics. func (r *RootCAs) String() string { sliceOfString := make([]string, len([]FileOrContent(*r))) for key, value := range *r { sliceOfString[key] = value.String() } return strings.Join(sliceOfString, ",") } // Set is the method to set the flag value, part of the flag.Value interface. // Set's argument is a string to be parsed to set the flag. // It's a comma-separated list, so we split it. func (r *RootCAs) Set(value string) error { rootCAs := strings.Split(value, ",") if len(rootCAs) == 0 { return fmt.Errorf("bad RootCAs format: %s", value) } for _, rootCA := range rootCAs { *r = append(*r, FileOrContent(rootCA)) } return nil } // Get return the EntryPoints map func (r *RootCAs) Get() interface{} { return RootCAs(*r) } // SetValue sets the EntryPoints map with val func (r *RootCAs) SetValue(val interface{}) { *r = RootCAs(val.(RootCAs)) } // Type is type of the struct func (r *RootCAs) Type() string { return "rootcas" } // EntryPoints holds entry points configuration of the reverse proxy (ip, port, TLS...) type EntryPoints map[string]*EntryPoint // String is the method to format the flag's value, part of the flag.Value interface. // The String method's output will be used in diagnostics. func (ep *EntryPoints) String() string { return fmt.Sprintf("%+v", *ep) } // Set is the method to set the flag value, part of the flag.Value interface. // Set's argument is a string to be parsed to set the flag. // It's a comma-separated list, so we split it. func (ep *EntryPoints) Set(value string) error { result := parseEntryPointsConfiguration(value) var configTLS *TLS if len(result["tls"]) > 0 { certs := Certificates{} if err := certs.Set(result["tls"]); err != nil { return err } configTLS = &TLS{ Certificates: certs, } } else if len(result["tls_acme"]) > 0 { configTLS = &TLS{ Certificates: Certificates{}, } } if len(result["ca"]) > 0 { files := strings.Split(result["ca"], ",") configTLS.ClientCAFiles = files } var redirect *Redirect if len(result["redirect_entrypoint"]) > 0 || len(result["redirect_regex"]) > 0 || len(result["redirect_replacement"]) > 0 { redirect = &Redirect{ EntryPoint: result["redirect_entrypoint"], Regex: result["redirect_regex"], Replacement: result["redirect_replacement"], } } whiteListSourceRange := []string{} if len(result["whitelistsourcerange"]) > 0 { whiteListSourceRange = strings.Split(result["whitelistsourcerange"], ",") } compress := toBool(result, "compress") var proxyProtocol *ProxyProtocol ppTrustedIPs := result["proxyprotocol_trustedips"] if len(result["proxyprotocol_insecure"]) > 0 || len(ppTrustedIPs) > 0 { proxyProtocol = &ProxyProtocol{ Insecure: toBool(result, "proxyprotocol_insecure"), } if len(ppTrustedIPs) > 0 { proxyProtocol.TrustedIPs = strings.Split(ppTrustedIPs, ",") } } // TODO must be changed to false by default in the next breaking version. forwardedHeaders := &ForwardedHeaders{Insecure: true} if _, ok := result["forwardedheaders_insecure"]; ok { forwardedHeaders.Insecure = toBool(result, "forwardedheaders_insecure") } fhTrustedIPs := result["forwardedheaders_trustedips"] if len(fhTrustedIPs) > 0 { // TODO must be removed in the next breaking version. forwardedHeaders.Insecure = toBool(result, "forwardedheaders_insecure") forwardedHeaders.TrustedIPs = strings.Split(fhTrustedIPs, ",") } if proxyProtocol != nil && proxyProtocol.Insecure { log.Warn("ProxyProtocol.Insecure:true is dangerous. Please use 'ProxyProtocol.TrustedIPs:IPs' and remove 'ProxyProtocol.Insecure:true'") } (*ep)[result["name"]] = &EntryPoint{ Address: result["address"], TLS: configTLS, Redirect: redirect, Compress: compress, WhitelistSourceRange: whiteListSourceRange, ProxyProtocol: proxyProtocol, ForwardedHeaders: forwardedHeaders, } return nil } func parseEntryPointsConfiguration(raw string) map[string]string { sections := strings.Fields(raw) config := make(map[string]string) for _, part := range sections { field := strings.SplitN(part, ":", 2) name := strings.ToLower(strings.Replace(field[0], ".", "_", -1)) if len(field) > 1 { config[name] = field[1] } else { if strings.EqualFold(name, "TLS") { config["tls_acme"] = "TLS" } else { config[name] = "" } } } return config } func toBool(conf map[string]string, key string) bool { if val, ok := conf[key]; ok { return strings.EqualFold(val, "true") || strings.EqualFold(val, "enable") || strings.EqualFold(val, "on") } return false } // Get return the EntryPoints map func (ep *EntryPoints) Get() interface{} { return EntryPoints(*ep) } // SetValue sets the EntryPoints map with val func (ep *EntryPoints) SetValue(val interface{}) { *ep = EntryPoints(val.(EntryPoints)) } // Type is type of the struct func (ep *EntryPoints) Type() string { return "entrypoints" } // EntryPoint holds an entry point configuration of the reverse proxy (ip, port, TLS...) type EntryPoint struct { Network string Address string TLS *TLS `export:"true"` Redirect *Redirect `export:"true"` Auth *types.Auth `export:"true"` WhitelistSourceRange []string Compress bool `export:"true"` ProxyProtocol *ProxyProtocol `export:"true"` ForwardedHeaders *ForwardedHeaders `export:"true"` } // Redirect configures a redirection of an entry point to another, or to an URL type Redirect struct { EntryPoint string Regex string Replacement string } // TLS configures TLS for an entry point type TLS struct { MinVersion string `export:"true"` CipherSuites []string Certificates Certificates ClientCAFiles []string } // MinVersion Map of allowed TLS minimum versions var MinVersion = map[string]uint16{ `VersionTLS10`: tls.VersionTLS10, `VersionTLS11`: tls.VersionTLS11, `VersionTLS12`: tls.VersionTLS12, } // CipherSuites Map of TLS CipherSuites from crypto/tls // Available CipherSuites defined at https://golang.org/pkg/crypto/tls/#pkg-constants var CipherSuites = map[string]uint16{ `TLS_RSA_WITH_RC4_128_SHA`: tls.TLS_RSA_WITH_RC4_128_SHA, `TLS_RSA_WITH_3DES_EDE_CBC_SHA`: tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, `TLS_RSA_WITH_AES_128_CBC_SHA`: tls.TLS_RSA_WITH_AES_128_CBC_SHA, `TLS_RSA_WITH_AES_256_CBC_SHA`: tls.TLS_RSA_WITH_AES_256_CBC_SHA, `TLS_RSA_WITH_AES_128_CBC_SHA256`: tls.TLS_RSA_WITH_AES_128_CBC_SHA256, `TLS_RSA_WITH_AES_128_GCM_SHA256`: tls.TLS_RSA_WITH_AES_128_GCM_SHA256, `TLS_RSA_WITH_AES_256_GCM_SHA384`: tls.TLS_RSA_WITH_AES_256_GCM_SHA384, `TLS_ECDHE_ECDSA_WITH_RC4_128_SHA`: tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`: tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`: tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, `TLS_ECDHE_RSA_WITH_RC4_128_SHA`: tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`: tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`: tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`: tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`: tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`: tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`: tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`: tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`: tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`: tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305`: tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305`: tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, } // Certificates defines traefik certificates type // Certs and Keys could be either a file path, or the file content itself type Certificates []Certificate //CreateTLSConfig creates a TLS config from Certificate structures func (certs *Certificates) CreateTLSConfig() (*tls.Config, error) { config := &tls.Config{} config.Certificates = []tls.Certificate{} certsSlice := []Certificate(*certs) for _, v := range certsSlice { var err error certContent, err := v.CertFile.Read() if err != nil { return nil, err } keyContent, err := v.KeyFile.Read() if err != nil { return nil, err } cert, err := tls.X509KeyPair(certContent, keyContent) if err != nil { return nil, err } config.Certificates = append(config.Certificates, cert) } return config, nil } // String is the method to format the flag's value, part of the flag.Value interface. // The String method's output will be used in diagnostics. func (certs *Certificates) String() string { if len(*certs) == 0 { return "" } var result []string for _, certificate := range *certs { result = append(result, certificate.CertFile.String()+","+certificate.KeyFile.String()) } return strings.Join(result, ";") } // Set is the method to set the flag value, part of the flag.Value interface. // Set's argument is a string to be parsed to set the flag. // It's a comma-separated list, so we split it. func (certs *Certificates) Set(value string) error { certificates := strings.Split(value, ";") for _, certificate := range certificates { files := strings.Split(certificate, ",") if len(files) != 2 { return fmt.Errorf("bad certificates format: %s", value) } *certs = append(*certs, Certificate{ CertFile: FileOrContent(files[0]), KeyFile: FileOrContent(files[1]), }) } return nil } // Type is type of the struct func (certs *Certificates) Type() string { return "certificates" } // Certificate holds a SSL cert/key pair // Certs and Key could be either a file path, or the file content itself type Certificate struct { CertFile FileOrContent KeyFile FileOrContent } // Retry contains request retry config type Retry struct { Attempts int `description:"Number of attempts" export:"true"` } // HealthCheckConfig contains health check configuration parameters. type HealthCheckConfig struct { Interval flaeg.Duration `description:"Default periodicity of enabled health checks" export:"true"` } // RespondingTimeouts contains timeout configurations for incoming requests to the Traefik instance. type RespondingTimeouts struct { ReadTimeout flaeg.Duration `description:"ReadTimeout is the maximum duration for reading the entire request, including the body. If zero, no timeout is set" export:"true"` WriteTimeout flaeg.Duration `description:"WriteTimeout is the maximum duration before timing out writes of the response. If zero, no timeout is set" export:"true"` IdleTimeout flaeg.Duration `description:"IdleTimeout is the maximum amount duration an idle (keep-alive) connection will remain idle before closing itself. Defaults to 180 seconds. If zero, no timeout is set" export:"true"` } // ForwardingTimeouts contains timeout configurations for forwarding requests to the backend servers. type ForwardingTimeouts struct { DialTimeout flaeg.Duration `description:"The amount of time to wait until a connection to a backend server can be established. Defaults to 30 seconds. If zero, no timeout exists" export:"true"` ResponseHeaderTimeout flaeg.Duration `description:"The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists" export:"true"` } // ProxyProtocol contains Proxy-Protocol configuration type ProxyProtocol struct { Insecure bool TrustedIPs []string } // ForwardedHeaders Trust client forwarding headers type ForwardedHeaders struct { Insecure bool TrustedIPs []string }