Log4Shell: a middleware plugin for Traefik which blocks JNDI attacks based on HTTP header values

Overview

Traefik

Build Status SemaphoreCI Docs Go Report Card License Join the community support forum at https://community.traefik.io/ Twitter

Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy. Traefik integrates with your existing infrastructure components (Docker, Swarm mode, Kubernetes, Marathon, Consul, Etcd, Rancher, Amazon ECS, ...) and configures itself automatically and dynamically. Pointing Traefik at your orchestrator should be the only configuration step you need.


. Overview . Features . Supported backends . Quickstart . Web UI . Documentation .

. Support . Release cycle . Contributing . Maintainers . Credits .


⚠️ Please be aware that the old configurations for Traefik v1.x are NOT compatible with the v2.x config as of now. If you're running v2, please ensure you are using a v2 configuration.

Overview

Imagine that you have deployed a bunch of microservices with the help of an orchestrator (like Swarm or Kubernetes) or a service registry (like etcd or consul). Now you want users to access these microservices, and you need a reverse proxy.

Traditional reverse-proxies require that you configure each route that will connect paths and subdomains to each microservice. In an environment where you add, remove, kill, upgrade, or scale your services many times a day, the task of keeping the routes up to date becomes tedious.

This is when Traefik can help you!

Traefik listens to your service registry/orchestrator API and instantly generates the routes so your microservices are connected to the outside world -- without further intervention from your part.

Run Traefik and let it do the work for you! (But if you'd rather configure some of your routes manually, Traefik supports that too!)

Architecture

Features

  • Continuously updates its configuration (No restarts!)
  • Supports multiple load balancing algorithms
  • Provides HTTPS to your microservices by leveraging Let's Encrypt (wildcard certificates support)
  • Circuit breakers, retry
  • See the magic through its clean web UI
  • Websocket, HTTP/2, GRPC ready
  • Provides metrics (Rest, Prometheus, Datadog, Statsd, InfluxDB)
  • Keeps access logs (JSON, CLF)
  • Fast
  • Exposes a Rest API
  • Packaged as a single binary file (made with ❤️ with go) and available as an official docker image

Supported Backends

Quickstart

To get your hands on Traefik, you can use the 5-Minute Quickstart in our documentation (you will need Docker).

Web UI

You can access the simple HTML frontend of Traefik.

Web UI Providers

Documentation

You can find the complete documentation of Traefik v2 at https://doc.traefik.io/traefik/.

If you are using Traefik v1, you can find the complete documentation at https://doc.traefik.io/traefik/v1.7/.

A collection of contributions around Traefik can be found at https://awesome.traefik.io.

Support

To get community support, you can:

  • join the Traefik community forum: Join the chat at https://community.traefik.io/

If you need commercial support, please contact Traefik.io by mail: mailto:[email protected].

Download

./traefik --configFile=traefik.toml
docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik
  • Or get the sources:
git clone https://github.com/traefik/traefik

Introductory Videos

You can find high level and deep dive videos on videos.traefik.io.

Maintainers

We are strongly promoting a philosophy of openness and sharing, and firmly standing against the elitist closed approach. Being part of the core team should be accessible to anyone who is motivated and want to be part of that journey! This document describes how to be part of the core team as well as various responsibilities and guidelines for Traefik maintainers. You can also find more information on our process to review pull requests and manage issues in this document.

Contributing

If you'd like to contribute to the project, refer to the contributing documentation.

Please note that this project is released with a Contributor Code of Conduct. By participating in this project, you agree to abide by its terms.

Release Cycle

  • We usually release 3/4 new versions (e.g. 1.1.0, 1.2.0, 1.3.0) per year.
  • Release Candidates are available before the release (e.g. 1.1.0-rc1, 1.1.0-rc2, 1.1.0-rc3, 1.1.0-rc4, before 1.1.0).
  • Bug-fixes (e.g. 1.1.1, 1.1.2, 1.2.1, 1.2.3) are released as needed (no additional features are delivered in those versions, bug-fixes only).

Each version is supported until the next one is released (e.g. 1.1.x will be supported until 1.2.0 is out).

We use Semantic Versioning.

Mailing Lists

Credits

Kudos to Peka for his awesome work on the gopher's logo!.

The gopher's logo of Traefik is licensed under the Creative Commons 3.0 Attributions license.

The gopher's logo of Traefik was inspired by the gopher stickers made by Takuya Ueda. The original Go gopher was designed by Renee French.

Comments
  • v2.8.2 go panic

    v2.8.2 go panic

    Welcome!

    • [X] Yes, I've searched similar issues on GitHub and didn't find any.
    • [X] Yes, I've searched similar issues on the Traefik community forum and didn't find any.

    What did you do?

    Watchtower upgraded to 2.8.2, I'm sourcing latest. Upgrade should have gone smoothly as usual.

    What did you see instead?

    Go panic, can post full stack trace if necessary, its very large and hard to bound.

    What version of Traefik are you using?

    Version:      2.8.2
    Codename:     vacherin
    Go version:   go1.19
    Built:        2022-08-11T14:55:50Z
    OS/Arch:      linux/amd64
    

    What is your environment & configuration?

    Docker provider, cannot provide config (company/org). 2.8.1 works as expected.

    If applicable, please paste the log output in DEBUG level

     time="2022-08-11T17:16:16-03:00" level=error msg="Error in Go routine: runtime error: slice bounds out of range [2:1]"
    traefik-traefik-1  | time="2022-08-11T17:16:16-03:00" level=error msg="Stack: goroutine 29 [running]:\nruntime/debug.Stack()\n\truntime/debug/stack.go:24 +0x65\ngithub.com/traefik/traefik/v2/pkg/safe.defaultRecoverGoroutine({0x36a75c0?, 0xc0007e40c0})\n\tgithub.com/traefik/traefik/v2/pkg/safe/routine.go:66 +0xa5\ngithub.com/traefik/traefik/v2/pkg/safe.GoWithRecover.func1.1()\n\tgithub.com/traefik/traefik/v2/pkg/safe/routine.go:56 +0x36\npanic({0x36a75c0, 0xc0007e40c0})\n\truntime/panic.go:884 +0x212\ngithub.com/traefik/paerser/parser.filler.setSlice({{0x19?, {0x3989c0e?, 0x0?}}}, {0x2ff49c0?, 0xc0004c91f8?, 0x355146f?}, 0xc0004d86c0)\n\tgithub.com/traefik/[email protected]/parser/element_fill.go:157 +0xaa5\ngithub.com/traefik/paerser/pa
    

    lots more, typical go stack trace. I can't reproduce this frequently, I need to get this server back to production.

    priority/P0 kind/bug/confirmed status/5-frozen-due-to-age 
    opened by endigma 96
  • Add Support for Consul Connect

    Add Support for Consul Connect

    What does this PR do?

    The change set introduces support for Consul Connect enabled services.

    Motivation

    There is no edge proxy available that can route traffic to a connect enabled service. Consul Connect, despite being a powerful and easy to use service mesh, is useless to a lot of people who are mainly looking to route traffic from internet to private services. A service running inside Connect service mesh can only receive traffic via its sidecar, and sidecar will only communicate with a network peer using mutual TLS. The solution is easy, but haven't been implemented in any form.

    Traefik already supports Consul Catalog, it is only a matter of utilizing the certificates for upstream connection wherever applicable and it becomes the perfect edge proxy for connect mesh.

    More

    • [ ] Added/updated tests
    • [ ] Added/updated documentation

    Additional Notes

    This PR is in progress, I need some help to figure out how to set the TLS configuration on a connection without specifying it in service tags.

    Related: https://github.com/containous/traefik/issues/3544

    Continues consul connect integration from #6373

    Co-authored-by: Florian Apolloner [email protected]

    kind/enhancement size/L area/provider/consulcatalog 
    opened by Gufran 93
  • Specify backend servers' weight via annotation for kubernetes

    Specify backend servers' weight via annotation for kubernetes

    What does this PR do?

    Fixes #2729. Also previous discussions.

    Provides a new ingress annotation ingress.kubernetes.io/backend-weights which specifies a YAML-encoded, percentage-based weight distribution. With this annotation, we can do canary release by dynamically adjust the weight of ingress backends.

    Since that currently the weight of types.Server is integer, so I created a simple allocator to make the weight of the server as average as possible.

    Motivation

    Introduce weight-based canary release to kubernetes provider with minimal change.

    More

    • [X] Added/updated tests
    • [x] Added/updated documentation

    Additional Notes

    kind/enhancement area/provider/k8s/ingress size/M 
    opened by yue9944882 63
  • enable custom plugins/middlewares for Traefik

    enable custom plugins/middlewares for Traefik

    After seeing the Go1.8 new plugin feature I though that this could help a lot o people to add specific functionalities to Traefik.

    Instead of building/compiling/shipping a custom-made version of Traefik to enable a custom functionality it would be possible to write way simpler custom-made middlewares with this approach, doesn't it ?

    Try imagine creating a package that receives the request at a parameter without having to recompile the whole Traefik repository just to add a small change. Does it sounds like a middleware ? Because for me it is ! It's just a go1.8-plugin-based-middleware !

    What do you guys think ?

    kind/proposal status/5-frozen-due-to-age 
    opened by migueleliasweb 59
  • Need URL rewrite to add trailing slash

    Need URL rewrite to add trailing slash

    I have a simple app, which has the following file structure at root

    • script.js
    • style.css
    • index.html (load the other two files using relative path script.js and style.css)

    Since I want to access the app via URL http://example/app, I proxied the web app with rule PathStripPrefix:/app. The problem is when I try to access URL http://example/app (without trailing slash), it will load "index.html" fine, but not the JS and CSS file. When I look into the debugger, it tries to load:

    • http://example/script.js
    • http://exmaple/style.css

    Instead of (the correct one):

    • http://example/app/script.js
    • http://example/app/style.css

    It only works when I type the original URL with a trailing slash, so http://example/app/. This is not a big deal for me but users sometimes find it annoying since we used to use Nginx, who sends an "301 Moved Permanently" to a URL with trailing slash when it's not there. I wonder if it is possible / makes sense to implement this in Traefik?

    Thank you!

    kind/enhancement status/5-frozen-due-to-age 
    opened by javefang 58
  • New web ui

    New web ui

    First of all, sorry for making PR this huge, I did read the contributing guide but in that case I believe small PR is not possible.

    Hi guys, I really like the project and I decided to help you with transition to latest version of Angular rather than using first version.

    screen shot 2017-10-08 at 18 11 30

    I also updated UI and started to working on be a slightly more modern but didn't finish things already. First, I would like to know if you guys are even interested of upgrading and improving user interface? If so, this PR is not finished yet, its a work in progress, but can be done in a day.

    I have question if there is a reason why you are sending xhr requests to server in time interval (3000ms)? I believe this is a more or less anti-pattern and should be done with websockets. All live data on Web UI should transfer data through websockets and if someone is interested of creating server I can update the frontend accordingly.

    TODO:

    • [x] health
    • [ ] frondend implementation of reconnecting websocket
    • [ ] e2e tests
    • [ ] karma tests

    Cheers, Jan

    kind/enhancement area/webui size/L 
    opened by jkuri 56
  • #504 Initial support for Docker 1.12 Swarm Mode

    #504 Initial support for Docker 1.12 Swarm Mode

    This new provide just work with one network and traefik.port label.

    I include a provide swarm it`s quite similar with docker provider but this swarm provide watch for services data.

    kind/enhancement area/provider/docker 
    opened by diegofernandes 53
  • ACME HTTP-01 challenge fails by timeout

    ACME HTTP-01 challenge fails by timeout

    Do you want to request a feature or report a bug?

    Bug

    What did you do?

    I am trying to fetch automatic certificates from Let's Encrypt with HTTP-01.

    What did you expect to see?

    Fetching certificates like before TLS-SNI problems.

    What did you see instead?

    No new certificates.

    Possible problems / fixes

    It looks like it has something to do with adding the http route to each domain (domain.com/.well-known/acme-challenge/[token]). When visiting the same route over https I receive an 404 directly. But via http timeouts.

    https://github.com/containous/traefik/blob/5140bbe99a79b45f98c27fbb8e9b6833194af4cb/acme/challenge_http_provider.go#L22

    Via Slack someone (maverick) tried my same configuration but with a consul backend. Maybe it has something to do with that?

    When checking de debug logs it seems it "CleansUp" token for that domain before hitting the timeout. Maybe it has something to do with that?

    Output of traefik version: (What version of Traefik are you using?)

    Traefik version v1.5.0 built on 2018-01-23_04:42:32PM
    

    What is your environment & configuration (arguments, toml, provider, platform, ...)?

    defaultEntryPoints = ["http", "https"]
    debug = true
    logLevel = "DEBUG"
    
    [entryPoints]
      [entryPoints.http]
      address = ":80"
    #    [entryPoints.http.redirect]
    #    entryPoint = "https"
      compress = true
      [entryPoints.https]
        address = ":443"
        compress = true
        [entryPoints.https.tls]
    
    [acme]
      email = "[email protected]"
      caServer = "https://acme-staging.api.letsencrypt.org/directory"
      # Tried it on production as well
      storage = "/etc/traefik/acme/acme.json"
      entryPoint = "https"
      OnHostRule = true
      acmeLogging = true
      [acme.httpChallenge]
        entryPoint = "http"
    
    # Enable Docker configuration backend
    [docker]
      endpoint = "unix:///var/run/docker.sock"
      domain = "sandbox.domain.com"
      watch = true
      swarmmode = true
      exposedbydefault = true
    
    [api]
      entryPoint = "traefik"
      dashboard = true
      address = ":8080"
    
      [api.statistics]
        recentErrors = 10
    

    docker-compose.yml

    version: '3'
    services:
      nginx:
        image: nginx:1.13
        volumes:
          - "../workspace:/srv"
          - "./nginx/default.conf:/etc/nginx/conf.d/default.conf"
        deploy:
          labels:
            - "traefik.backend=rest-api"
            - "traefik.port=80"
            - "traefik.frontend.rule=Host:rest-api.sandbox.domain.com"
            - "traefik.docker.network=frontend"
            - "traefik.backend.loadbalancer.method=drr"
        networks:
          - frontend
          - backend
    
      php:
        image: php-fpm:7.1
        volumes:
          - "../workspace:/srv"
        networks:
          - backend
    
    networks:
      backend:
        external:
          name: rest-api
      frontend:
        external:
          name: frontend
    

    If applicable, please paste the log output in debug mode (--debug switch)

    logs
    time="2018-01-25T10:05:56Z" level=debug msg="LoadCertificateForDomains [rest-api.sandbox.domain.com]..." 
    time="2018-01-25T10:05:56Z" level=debug msg="Looking for provided certificate to validate [rest-api.sandbox.domain.com]..." 
    time="2018-01-25T10:05:56Z" level=debug msg="No provided certificate found for domains [rest-api.sandbox.domain.com], get ACME certificate." 
    time="2018-01-25T10:05:56Z" level=debug msg="Loading ACME certificates [rest-api.sandbox.domain.com]..." 
    legolog: 2018/01/25 10:05:56 [INFO][rest-api.sandbox.domain.com] acme: Obtaining bundled SAN certificate
    legolog: 2018/01/25 10:05:56 [INFO][rest-api.sandbox.domain.com] AuthURL: https://acme-staging.api.letsencrypt.org/acme/authz/w3M__oDqozE[...]T_SPCiF7p5CYLFI
    legolog: 2018/01/25 10:05:56 [INFO][rest-api.sandbox.domain.com] acme: Could not find solver for: dns-01
    legolog: 2018/01/25 10:05:56 [INFO][rest-api.sandbox.domain.com] acme: Trying to solve HTTP-01
    time="2018-01-25T10:05:56Z" level=debug msg="Challenge Present rest-api.sandbox.domain.com" 
    time="2018-01-25T10:06:07Z" level=debug msg="Challenge CleanUp rest-api.sandbox.domain.com" 
    time="2018-01-25T10:06:07Z" level=error msg="map[rest-api.sandbox.domain.com:acme: Error 400 - urn:acme:error:connection - Fetching http://rest-api.sandbox.domain.com/.well-known/acme-challenge/GECQ9JRWb4pA[...]Bc3rmeveJd611YowU: Timeout
    Error Detail:
    	Validation for rest-api.sandbox.domain.com:80
    	Resolved to:
    		***.***.***.***
    		***:*:*:*::*
    	Used: ***:*:*:*::*
    
    ]" 
    time="2018-01-25T10:06:07Z" level=error msg="Error getting ACME certificates [rest-api.sandbox.domain.com] : cannot obtain certificates map[rest-api.sandbox.domain.com:acme: Error 400 - urn:acme:error:connection - Fetching http://rest-api.sandbox.domain.com/.well-known/acme-challenge/GECQ9JRWb4pA0OlC[...]eJd611YowU: Timeout
    Error Detail:
    	Validation for rest-api.sandbox.domain.com:80
    	Resolved to:
    		***.***.***.***
    		***:*:*:*::*
    	Used: ***:*:*:*::*
    
    ]" 
    time="2018-01-25T10:06:07Z" level=debug msg="LoadCertificateForDomains []..." 
    legolog: 2018/01/25 10:06:07 [INFO][exceptions.sandbox.domain.com] acme: Obtaining bundled SAN certificate
    time="2018-01-25T10:06:07Z" level=debug msg="LoadCertificateForDomains [exceptions.sandbox.domain.com]..." 
    time="2018-01-25T10:06:07Z" level=debug msg="Looking for provided certificate to validate [exceptions.sandbox.domain.com]..." 
    time="2018-01-25T10:06:07Z" level=debug msg="No provided certificate found for domains [exceptions.sandbox.domain.com], get ACME certificate." 
    time="2018-01-25T10:06:07Z" level=debug msg="Loading ACME certificates [exceptions.sandbox.domain.com]..." 
    legolog: 2018/01/25 10:06:07 [INFO][exceptions.sandbox.domain.com] AuthURL: https://acme-staging.api.letsencrypt.org/acme/authz/oUlowLzxA9hKGib[...]MpTqEWA4ksu345xc
    legolog: 2018/01/25 10:06:07 [INFO][exceptions.sandbox.domain.com] acme: Could not find solver for: dns-01
    legolog: 2018/01/25 10:06:07 [INFO][exceptions.sandbox.domain.com] acme: Trying to solve HTTP-01
    time="2018-01-25T10:06:07Z" level=debug msg="Challenge Present exceptions.sandbox.domain.com" 
    time="2018-01-25T10:06:09Z" level=debug msg="Filtering container without port and no traefik.port label traefik.1 : strconv.Atoi: parsing "": invalid syntax" 
    time="2018-01-25T10:06:09Z" level=debug msg="Filtering container without port and no traefik.port label payment_php.1 : strconv.Atoi: parsing "": invalid syntax" 
    time="2018-01-25T10:06:09Z" level=debug msg="Filtering container without port and no traefik.port label my_php.1 : strconv.Atoi: parsing "": invalid syntax" 
    time="2018-01-25T10:06:09Z" level=debug msg="Filtering container without port and no traefik.port label webfrontend_php.1 : strconv.Atoi: parsing "": invalid syntax" 
    time="2018-01-25T10:06:09Z" level=debug msg="Filtering container without port and no traefik.port label rest-api_php.1 : strconv.Atoi: parsing "": invalid syntax" 
    time="2018-01-25T10:06:09Z" level=debug msg="Filtering container without port and no traefik.port label order_php.1 : strconv.Atoi: parsing "": invalid syntax" 
    time="2018-01-25T10:06:09Z" level=debug msg="Filtering container without port and no traefik.port label catalog_php.1 : strconv.Atoi: parsing "": invalid syntax" 
    time="2018-01-25T10:06:09Z" level=debug msg="Filtering container without port and no traefik.port label price_php.1 : strconv.Atoi: parsing "": invalid syntax" 
    time="2018-01-25T10:06:09Z" level=debug msg="Filtering container without port and no traefik.port label notifications_php.1 : strconv.Atoi: parsing "": invalid syntax" 
    time="2018-01-25T10:06:09Z" level=debug msg="Filtering container without port and no traefik.port label exceptions_php.1 : strconv.Atoi: parsing "": invalid syntax" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.whitelistSourceRange labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.entryPoints labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.auth.basic labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.whitelistSourceRange labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.auth.basic labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.whitelistSourceRange labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.entryPoints labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.auth.basic labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.whitelistSourceRange labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.entryPoints labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.auth.basic labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.whitelistSourceRange labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.entryPoints labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.auth.basic labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.whitelistSourceRange labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.entryPoints labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.auth.basic labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.whitelistSourceRange labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.entryPoints labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.auth.basic labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.whitelistSourceRange labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.entryPoints labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.auth.basic labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.whitelistSourceRange labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.entryPoints labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.auth.basic labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.whitelistSourceRange labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.entryPoints labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.auth.basic labels" 
    
    resolution/declined area/acme kind/bug/possible status/5-frozen-due-to-age 
    opened by deargonaut 50
  • Sporadic 502 response only when running through traefik

    Sporadic 502 response only when running through traefik

    Do you want to request a feature or report a bug?

    Bug

    What did you do?

    I have a graphql API running on NodeJS using Apollo and Express, with traefik in front.

    When proxying through traefik I get sporadic 502 responses that I have not been able to resolve.

    I does never happen when I bypass the proxy and connect directly to the backend node server.

    I am running all tests locally on my dev machine.

    My first attempt to force the error was load testing with the locust framework. However, even when sending large amounts of request through the proxy I was unable to replicate the error. It only happens when I use the frontend application in the browser.

    After reading this oxy issue I started suspecting cancelled connections.

    I added a custom HTTP header with a UUID to be able to trace all requests, which I print on the backend.

      app.use((req, res, next) => {
        const id = req.headers['x-request-id'];
        if (id) {
          console.log(`Request id: ${id}`);
        }
        next();
      });
    
    

    Then I also added the following event listener to the express server to detect cancelled requests

      app.use((req, res, next) => {
        req.connection.on('close', () => {
          const id = req.headers['x-request-id'];
          console.log(`Cancelled request ${id}`);
        });
    
        next();
      });
    

    What I can see is that I do get cancelled requests when running the application in the browser, and at some point i get a 502 response from traefik. And in the traefik log this is

    DEBU[2018-04-26T13:43:51+02:00] vulcand/oxy/forward/http: Round trip: http://localhost:6543, code: 502, Length: 11, duration: 66.352475ms 
    

    And the nodejs backend log looks something like this:

    ...
    Request id: 7455804b-490a-4361-98e5-43d12bf4aca8
    Request id: 737f8d9d-3300-461b-858b-07006582a937
    POST /graphql 200 83.542 ms - 310
    POST /graphql 200 16.441 ms - 682
    Request id: 096e0e39-90e6-475c-b8ad-0aa2dfd2e345
    POST /graphql 200 5.338 ms - 163
    Request id: 69f17cb2-cdf1-4db5-a9f5-08e46d795892
    Request id: 50d3aec6-5cda-4e8b-ac0e-a30a57fa94c9
    POST /graphql 200 58.596 ms - 310
    POST /graphql 200 15.526 ms - 682
    Request id: 1d051f3a-7d80-464b-b50f-6d8e733d1940
    <------------- Here I get the 502
    Cancelled request 2e0a8e14-9880-46e7-8e51-ad528d55a81d
    Cancelled request b9489e71-7fc5-4f1c-b30a-668aac4652f9
    Cancelled request 249c529c-b9cb-4b48-a491-8e38a7ee50d8
    Cancelled request a5be4a66-9d43-4e30-a92d-862b355399a0
    Cancelled request 3721fe71-fe18-4389-812a-a90cc2f4f0f1
    Cancelled request 71b74750-8078-471e-91b8-a8119e5db797
    Cancelled request 34fb6b91-9fa5-4d68-92da-c267089f5910
    Cancelled request 692770b1-61c3-49c2-8309-8e7be629dca1
    Cancelled request 05790579-8290-4787-a7b7-82596ad24520
    Cancelled request c8edcc39-30c7-4812-941c-a1899298acf7
    Cancelled request 2ba9e715-ab7c-48ee-9d35-b5609179de6e
    Cancelled request b34f4725-665f-4b27-b3e1-cefec20c2ade
    Cancelled request 04bd3718-f6aa-4318-a469-fa3e17f54a20
    Cancelled request 4aedc60c-269a-420c-b083-1ea8f2e3243e
    Cancelled request 25be7334-43f9-4135-9537-36b0e36e698c
    Cancelled request 47bc1f9f-55c7-4f31-9957-7f0ad4285314
    Cancelled request bae3237c-efc8-4831-8260-6edbcedef28f
    Cancelled request 54685ecb-4d34-4698-b956-d0602b74a2e4
    Cancelled request 965f6ff2-da91-423c-a8e4-c2f4252f25fc
    Cancelled request 95c77d5c-230d-4875-8b25-fc0673c8e595
    Cancelled request 01658960-4627-42f8-a496-d29408a9579b
    Cancelled request 38221ac3-47ed-42f2-a56e-31deacdbfd62
    Cancelled request e73bec6b-744c-47bc-b001-0d914f03e976
    Cancelled request 73fade75-a943-45df-8b21-f8c50a480170
    Cancelled request 02688ad9-e947-415f-b70c-3cda16c50cf2
    Cancelled request 5d7d26c2-8c69-4083-a2d3-f0e1ae23bd0f
    Cancelled request f81a0258-085d-462f-9fcb-8a8b47918d04
    ...
    

    The failed request that gets a 502 response in the browser never reach the node server backend.

    I get a whole bunch of canceled request after the 502 occurs. These request IDs have been successfully served by the nodejs application at an earlier point.

    The canceling of the request seem to indicate some kind of connection leak? Or maybe just a sideffect of having chrome developer tools open?

    Anyway I never get any error response when bypassing the traefik instance.

    As the oxy issue describes, if I just could get some other response than 502 for cancelled requests I could handle this better on the client side.

    Output of traefik version: (What version of Traefik are you using?)

    Get the problem with the docker release as well as my homebrew install

    Homebrew traefik version:

    Version:      dev
    Codename:     cheddar
    Go version:   go1.10
    Built:        I don't remember exactly
    OS/Arch:      darwin/amd64
    

    Docker traefik version:

    Version:      v1.5.2
    Codename:     cancoillotte
    Go version:   go1.9.4
    Built:        2018-02-12_10:56:31AM
    OS/Arch:      linux/amd64
    

    What is your environment & configuration (arguments, toml, provider, platform, ...)?

    debug = true
    
    logLevel = "DEBUG"
    defaultEntryPoints = ["http"]
    
    [entryPoints]
      [entryPoints.ping]
      address = ":8082"
    
      [entryPoints.api]
      address = ":8080"
    
      [entryPoints.http]
      address = ":80"
    
    [retry]
    
    [ping]
    entryPoint = "ping"
    
    [api]
    entryPoint = "api"
      [api.statistics]
    
    [file]
    [backends]
      [backends.bct]
        [backends.bct.servers]
          [backends.bct.servers.server0]
            # url = "http://docker.for.mac.host.internal:6543"
            url = "http://localhost:6543"
    
    
    [frontends]
      [frontends.bct]
        entryPoints = ["http"]
        backend = "bct"
    
    [docker]
      endpoint = "unix:///var/run/docker.sock"
      # domain = "docker.for.mac.host.internal"
      domain = "localhost"
      watch = true
      exposedbydefault = false
    
    
    contributor/need-more-information kind/bug/possible area/server status/5-frozen-due-to-age 
    opened by koliyo 49
  • Docker Swarm: Support for real time event listening (connection drain support).

    Docker Swarm: Support for real time event listening (connection drain support).

    What does this PR do?

    These changes provide a support for load balancer draining for Docker Swarm. Note, the containers and services should also support graceful shutdowns.

    This change makes sure Traefik stops routing, almost instantly, traffic to containers that are not in the "running" state.

    We have backwards compatibility for Docker Swarm managers that don't offer live swarm events, by polling every 15 seconds (it's the same functionality as the current "master" branch offers).

    Motivation

    We require a Docker Swarm load balancer that supports connection draining.

    Related to #41 Fixes #3035

    Additional information

    These changes do not break backwards compatibility.

    These changes do not affect Traefik setups that are configured to route traffic using the internal Docker Swarm load balancing (IPVS). Traefik does not use the Docker Swarm load balancing by default (does not matter if Traefik is running with swarm mode set to true or not).

    Stress testing results

    Results from some tests I did locally on my Swarm cluster, using the official Traefik Docker image from the date of the testing (15th of March 2018), versus the patched Traefik binary. The file names describe what is being tested.

    https://gist.github.com/kristinn/e3c450b71aa3898f39fea20abe87bade

    kind/enhancement contributor/waiting-for-corrections area/provider/docker size/S area/provider/docker/swarm 
    opened by kristinn 49
  • Authentication middleware

    Authentication middleware

    A global authentication middleware being able to redirect incoming request to a remote authentication service which could transform initial requests before they are forwarded to internal services would be a great improvement for traefik.

    Use case is to be able to validate an OAuth token, add a JWT in request header with login information and forward it the right service. If OAuth token is not valid, the request is rejected with a 403 immediately.

    Issue links to #30 and #391.

    kind/proposal area/authentication status/5-frozen-due-to-age 
    opened by sebastienfr 47
  • Traefik does not retry failed ACME requests

    Traefik does not retry failed ACME requests

    Welcome!

    • [X] Yes, I've searched similar issues on GitHub and didn't find any.
    • [X] Yes, I've searched similar issues on the Traefik community forum and didn't find any.

    What did you do?

    I am running Traefik as the ingress provider in a Kubernetes cluster.

    If Traefik is unable to reach a given ACME server when it starts up, we see errors such as:

    traefik-588765f894-7x98v traefik time="2022-09-30T20:47:05Z" level=error msg="Unable to obtain ACME certificate for domains "postgres.apps.infra.internal": cannot get ACME client get directory at 'https://step-certificates.step-certificates.svc.cluster.local/acme/acme/directory': acme: error: 0 :: GET :: https://step-certificates.step-certificates.svc.cluster.local/acme/acme/directory :: notFound :: resource not found" providerName=incluster.acme ACME CA="https://step-certificates.step-certificates.svc.cluster.local/acme/acme/directory" rule="Host(postgres.apps.infra.internal) && PathPrefix(/)" [email protected]tes

    The ACME server comes up within a few seconds of these failures, but Traefik does not appear to ever retry the request. It is necessary to delete and re-create Ingress resources in order to force a retry (which succeeds).

    That means doing something like:

    kubectl -n namespace-with-service delete ingress --all
    

    Traefik should retry failed requests automatically (with a configurable backoff policy).

    What did you see instead?

    Traefik failed to retry the ACME requests, leaving the services in the cluster without valid certificates until we manually intervened.

    What version of Traefik are you using?

    Version: 2.9.0-rc5 Codename: banon Go version: go1.19.1 Built: 2022-09-30T13:23:19Z OS/Arch: linux/amd64

    What is your environment & configuration?

    Kubernetes (KIND) 1.25.0

    If applicable, please paste the log output in DEBUG level

    No response

    status/0-needs-triage 
    opened by larsks 0
  • Getting a 502 Bad Gateway with secured websocket

    Getting a 502 Bad Gateway with secured websocket

    Welcome!

    • [X] Yes, I've searched similar issues on GitHub and didn't find any.
    • [X] Yes, I've searched similar issues on the Traefik community forum and didn't find any.

    What did you do?

    I tried to connect to a secured websocket (using aiohttp) via traefik using AWS Fargate and an ECS provider I tried with another (http) container (using flask) and it's working fine. The WSS container is working by pinging its direct address with a simple GET request but not via traefik:

    • https://IP/viewer => not working via traefik, returns 502
    • https://IP:1234 => working without traefik, returns 200

    What did you see instead?

    502 - Bad Gateway

    What version of Traefik are you using?

    v2.8.4

    What is your environment & configuration?

    {
      "containerDefinitions": [
        {
          "portMappings": [
            {
              "hostPort": 443,
              "protocol": "tcp",
              "containerPort": 443
            },
            {
              "hostPort": 8080,
              "protocol": "tcp",
              "containerPort": 8080
            }
          ],
          "image": "traefik",
          "name": "Traefik",
          "command": [
            "--api.dashboard=true",
            "--api.insecure=true",
            "--log.level=DEBUG",
            "--providers.ecs=true",
            "--providers.ecs.exposedbydefault=false",
            "--providers.ecs.autoDiscoverClusters=false",
            "--providers.ecs.clusters=Dev_VisualizationCluster",
            "--entrypoints.websecure.address=:443",
            "--serversTransport.insecureSkipVerify=true"
          ],
          "logConfiguration": {
            "logDriver": "awslogs",
            "options": {
              "awslogs-create-group": "true",
              "awslogs-group": "/ecs/Dev_VisualizationTaskDefinition/traefik",
              "awslogs-region": "eu-west-3",
              "awslogs-stream-prefix": "ecs"
            }
          }
        },
        {
          "name": "VisualizationContainer",
          "image": "ghcr.io/geode-solutions/visualization_backend:develop",
          "cpu": 0,
          "portMappings": [
            {
              "hostPort": 1234,
              "protocol": "tcp",
              "containerPort": 1234
            }
          ],
          "essential": true,
          "dockerLabels": {
            "traefik.enable": "true",
            "traefik.http.middlewares.viewer-strip.stripprefix.forceSlash": "false",
            "traefik.http.middlewares.viewer-strip.stripprefix.prefixes": "/viewer",
            "traefik.http.routers.viewer-router.entrypoints": "websecure",
            "traefik.http.routers.viewer-router.middlewares": "viewer-strip",
            "traefik.http.routers.viewer-router.rule": "PathPrefix(`/viewer`)",
            "traefik.http.routers.viewer-router.tls": "true",
            "traefik.port": "1234"
          },
          "logConfiguration": {
            "logDriver": "awslogs",
            "options": {
              "awslogs-create-group": "true",
              "awslogs-group": "/ecs/Dev_VisualizationTaskDefinition/viewer",
              "awslogs-region": "eu-west-3",
              "awslogs-stream-prefix": "ecs"
            }
          }
        }
      ],
      "memory": "8192",
      "family": "Dev_VisualizationTaskDefinition",
      "networkMode": "awsvpc",
      "cpu": "4096",
      "requiresCompatibilities": [
        "FARGATE"
      ]
    }
    

    Add more configuration information here.

    If applicable, please paste the log output in DEBUG level

    30/09/2022 16:55:20 | time="2022-09-30T14:55:20Z" level=debug msg="'502 Bad Gateway' caused by: EOF" | Traefik -- | -- | -- 30/09/2022 16:55:20 | time="2022-09-30T14:55:20Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{"Method":"GET","URL":{"Scheme":"","Opaque":"","User":null,"Host":"","Path":"","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"Proto":"HTTP/1.1","ProtoMajor":1,"ProtoMinor":1,"Header":{"Accept":["/"],"Accept-Encoding":["gzip, deflate, br"],"Connection":["close"],"User-Agent":["Thunder Client (https://www.thunderclient.com)"],"X-Forwarded-Host":["13.38.98.224"],"X-Forwarded-Port":["443"],"X-Forwarded-Prefix":["/viewer"],"X-Forwarded-Proto":["https"],"X-Forwarded-Server":["ip-172-31-18-187.eu-west-3.compute.internal"],"X-Real-Ip":["185.146.220.125"]},"ContentLength":0,"TransferEncoding":null,"Host":"13.38.98.224","Form":null,"PostForm":null,"MultipartForm":null,"Trailer":null,"RemoteAddr":"185.146.220.125:48211","RequestURI":"/","TLS":null}" | Traefik

    status/0-needs-triage 
    opened by JulienChampagnol 0
  • Servers Transport on TCP Configuration

    Servers Transport on TCP Configuration

    What does this PR do?

    Adding ServersTransport on Tcp Configuration #7803

    Motivation

    More

    • [x] Added/updated tests
    • [ ] Added/updated documentation

    Additional Notes

    • The tcp configuration could use the httproundtripper instead of implementing another one by making the httproundtripper global and extinsble and also accomadate for tcp and htttp configuration.

    We couldn't figure out how use the tcp configurations on newproxy function

    status/0-needs-triage size/L 
    opened by Wambug 0
  • Traefik Hackaethon: Integration of a DenyIP Middleware

    Traefik Hackaethon: Integration of a DenyIP Middleware

    Welcome!

    • [X] Yes, I've searched similar issues on GitHub and didn't find any.
    • [X] Yes, I've searched similar issues on the Traefik community forum and didn't find any.

    What did you expect to see?

    Hello,

    We would like to present a new middleware made during the Traefik Hackaethon. (Team LittleThingProject) This is not a bug report but more a presentation of our work.

    Middleware PR: https://github.com/traefik/traefik/pull/9395

    Context

    We started to work on this to understand the Traefik code, and this was a good exercise to get into it.

    We were searching for such a middleware natively in traefik not using a plugin (which we know existed).

    We discussed this feature with Traefik maintainer who suggested to use the current denyIP Plugin or implement our own.

    Well we would like to try and make our case.

    Proposal

    As an edge router Traefik is often the gateway to an infrastructure, or a set of website / webservices. We often had the need to try and limit access in our company to only legitimate client and not bots / malicious actors.

    For this in our internal infrastructure we use the IPAllowlist MiddleWare. But for services exposed to our client we had no options to ban specific IP using native middleware.

    We use tools that gather for us lists of IP that have specifically targeted us (from our SIEM) and we would like to be able to use traefik to dynamically or statically (from a file for instance) deny access to thoses IPS.

    We designed with one exemple use case in mind the Crowdsec Middleware Plugin which is a specific application.

    Main idea

    We believe with the power of such a middleware and maybe native integrations from tools like AbuseIPDB / Crowdsec / IPVoid / TorList we could limit access to thoses actors that are clearly identified as malicious.

    We (working in the cybersecurity field) know that it is not what's gonna prevent everything, but it could limit the noise and let us focus on our SIEM to real attacks.

    We would like to know community and maintainers thought on this.

    Best, @mathieuHa @maxlerebourg

    status/0-needs-triage 
    opened by mathieuHa 0
  • Support SPIFFE mTLS between Traefik and Backend servers

    Support SPIFFE mTLS between Traefik and Backend servers

    What does this PR do?

    This PR adds support for SPIFFE mTLS between Traefik and its backend servers

    See #9376 for context and details

    Motivation

    Fun and end to end encryption.

    More

    • [x] Added/updated tests
    • [ ] Added/updated documentation

    Additional Notes

    • Documentation is yet to define. Let me know what needs to be done here :)
    • I went for --spiffe.workloadapiaddr instead of the proposed --spiffe.socketpath, the reason is that using a socket is not mandated by the SPIFFE spec itself, that's an implementation detail coming from SPIRE. And the go-spiffe library suports dialling over network.
    • It looks like integrating spiffe-go bumped grpc-go as well, causing some deprecation warnings to appear: I fixed those.
    • If you want to try this PR, https://github.com/jlevesy/spire-testbed provides an easy to use test environment.
    kind/enhancement status/1-needs-design-review size/L area/tls area/provider/k8s/crd area/provider/k8s area/service 
    opened by jlevesy 0
  • Traefik Hackaethon: Integration of a crowdsec bouncer as a plugin

    Traefik Hackaethon: Integration of a crowdsec bouncer as a plugin

    Welcome!

    • [X] Yes, I've searched similar issues on GitHub and didn't find any.
    • [X] Yes, I've searched similar issues on the Traefik community forum and didn't find any.

    What did you expect to see?

    Hello,

    We would like to present a new plugin made during the Traefik Hackaethon. (Team LittleThingProject) This is not a bug report but more a presentation of our work.

    Plugin catalog link: https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin

    Crowdsec Bouncer

    This plugin is named "Crowdsec Bouncer" and it is publicly available at https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin.

    This plugins aims to implement a Crowdsec Bouncer into a traefik middleware plugin.

    CrowdSec is an open-source and collaborative IPS (Intrusion Prevention System) and a security suite. We leverage local behavior analysis and crowd power to build the largest CTI network in the world.

    The purpose is to enable Treafik to authorize and block requests from IP based and their reputation and behavior.

    The Crowdsec utility will provide the community blocklist which contains highly reported and validated IP banned from the crowdsec network.

    When used with Crowdsec it will leverage the local API which will analyze Traefik logs and take decisions on the requests made by users/bots. Malicious actors will be banned based on patterns against your website and infrastructure.

    How it works

    Requirements

    It should be used in combination with a crowdsec service which can run in a docker-container. The README of the project provides a docker-compose.yml file that includes traefik, crowdsec and a webservice which is protected by the middleware.

    Initial startup

    At startup the crowdsec container will fetch from a remote API (CAPI) the community blacklist, and traefik will cache this list of decisions locally.

    Request flow

    Every request that comes through traefik with the middleware enabled will be checked against the local cache for malicious IPs. If not found, the request will go on and else it will respond with a forbidden status code.

    Every log from Traefik will be check against patterns in the Crowdsec container for what is called scenarios. Crowdsec might then take a decision to ban the IP locally. When a decision is made, Crowdsec will share it to the community anonymously. (It is possible to opt out). Those meta-data are :

    • The name of the scenario that was triggered
    • The hash & version of the scenario that was triggered
    • The timestamp of the decision
    • Your machine_id
    • The offending IP address (along with its geoloc info when available)

    In the Background

    Traefik will fetch regularly the new decisions made by Crowdsec and update its Blocklist.

    The Team

    @maxlerebourg @mathieuHa

    About

    maxlerebourg and I have been using traefik since 2020. We come from web developper and security engineer background and wanted to add the power of a very promising technology (Crowdsec) into the edge router we love.

    We initially run into this project: https://github.com/fbonalair/traefik-crowdsec-bouncer It was using Traefik and forward auth middleware to verify every request. They had to go through a webserver which then contacts of another webservice (the crowdsec LAPI) to make a decision based on the source IP. We initially proposed some improvement by implementing a streaming mode and a local cache.

    With the Traefik hackathon we deciced to implement our solution directly as a Traefik plugin which could be found by every one on plugins.traefik.io and be more performant.

    status/0-needs-triage 
    opened by mathieuHa 0
Releases(v2.9.0-rc5)
Owner
Traefik Labs
Makes Networking Boring
Traefik Labs
Create a new OpenAPI based blink-plugin

OpenAPI plugin template Create a new OpenAPI based blink-plugin. READ FIRST Getting the Repo Option 1: From Github Press Use this template Naming conv

Blink 0 Oct 14, 2021
Package captcha is a middleware that provides captcha service for Flamego

auth Package captcha is a middleware that provides captcha service for Flamego. Installation The minimum requirement of Go is 1.16. go get github.com/

Flamego 14 May 14, 2022
AWS Mock with using GO SDK V2 middleware

AWS Mock with using GO SDK V2 middleware

G.Glawe 0 Dec 17, 2021
Go-http-client: An enhanced http client for Golang

go-http-client An enhanced http client for Golang Documentation on go.dev ?? This package provides you a http client package for your http requests. Y

Furkan Bozdag 41 Sep 12, 2022
API-HTTP service for wav-file synthesis based on sound library (morphemes)

Сервис для генерации аудио-файлов по заданной последовательности звуков из библиотеки. Предоставляет HTTP-API для передачи последовательности для гене

null 0 Jan 9, 2022
Mattermost Plugin - Starts meeting with Google Meet

Mattermost Plugin - Starts meeting with Google Meet

Paulo Mateus 32 Sep 16, 2022
CoreDNS plugin implementing K8s multi-cluster services DNS spec.

multicluster Name multicluster - implementation of Multicluster DNS Description This plugin implements the Kubernetes DNS-Based Multicluster Service D

CoreDNS 28 Sep 5, 2022
Grafana Plugin SDK for Go

Grafana Plugin SDK for Go This SDK enables building Grafana backend plugins using Go. Current state This SDK is still in development. The protocol bet

null 0 Dec 4, 2021
Terraform-provider-e2e-network - Terraform Provider Scaffolding (Terraform Plugin SDK)

This template repository is built on the Terraform Plugin SDK. The template repository built on the Terraform Plugin Framework can be found at terraform-provider-scaffolding-framework.

eSadhana 0 Jan 19, 2022
null 2 Feb 7, 2022
go-whatsapp-rest-API is a Go library for the WhatsApp web which use Swagger as api interface

go-whatsapp-rest-API go-whatsapp-rest-API is a Go library for the WhatsApp web which use Swagger as api interface Multi-devices (MD) Support. This ver

null 16 May 13, 2022
Utilcanvas is a package which provides some utilities to interface with the Canvas LMS Api.

Utilcanvas Utilcanvas is a package which provides some utilities to interface with the Canvas LMS Api. Example usage c := utilcanvas.NewClient("https:

Martín Zamorano 0 Oct 22, 2021
A serverless teeny-tiny version of Diomedes which sends alerts to Telegram. Written in Go.

diomedes-search Get a notification on Telegram whenever your movie opens bookings in a theater of your choice. Pre-requisites Install AWS CLI (v2) by

Kanishk Singh 1 Nov 30, 2021
This repo introduces a simple server, which provided some APIs for search DAS account's records or reverse records

Prerequisites Install Usage Others Das-Account-Indexer This repo introduces a simple server, which provided some APIs for search DAS account's records

DAS 18 Sep 22, 2022
A Simple Anonym FileSharing Service which is able to be render in the Browser and in an Terminal-Client

FileSharingService A Simple Anonym FileSharing Service which is able to be render in the Browser and in an Terminal-Client How to use Take a look in t

null 0 Dec 23, 2021
Is a microservice which provides payment token service for application users.

Tulip Is a microservice which provides payment token service for application users. Description A transactional-based token usually used for transacti

null 0 Feb 17, 2022
This is a small Go program, which can tell you what processes are actively using a set of files

winuse This is a small Go program, which can tell you what processes are actively using a set of files. It primarily exists to show off how one can bi

null 1 Jan 28, 2022
StreamWall - WIP demo application which streams music in exchange for streaming sats

Stream Wall Music examples borrowed from https://ableandthewolf.com/ check them

null 3 Jul 9, 2022
Invidtui - An invidious client, which fetches data from invidious and displays a user interface in the terminal(TUI)

invidtui invidtui is an invidious client, which fetches data from invidious and

null 72 Sep 24, 2022