After 3 months of development, we are thrilled to announce the fresh new release of Traefik: 1.5, codename cancoillotte.
We merged 175 pull requests from more than 67 contributors ! Huge thanks goes to all of you who helped on this new version 😘.
The full changelog can be found here but here are some new features we want to highlight:
Let’s Encrypt HTTP Challenge
On January the 9th, a little surprise appeared on our Twitter timeline:2018.01.09 Issue with TLS-SNI-01 and Shared Hosting Infrastructure[Update 2018-01-18: The most up-to-date summary is at IMPORTANT: What you need to know about TLS-SNI validation issues] At approximately 5 p.m. Pacific time on January 9, 2018, we received a report from Frans Rosén of Detectify outlining a method of exploiting some shared hosting infrastructures to…
And then:2018.01.11 Update Regarding ACME TLS-SNI and Shared Hosting Infrastructure[Update 2018-01-18: The most up-to-date summary is at IMPORTANT: What you need to know about TLS-SNI validation issues] Please see this post for background information. The last 48 hours have been a busy time for Let’s Encrypt staff. We’ve been working hard to come up with a plan for ACME TLS-SNI …
TL;DR: Let’s Encrypt permanently disabled
TLS-SNI-0x challenge due to a vulnerability.
And yes, Traefik was using
TLS-SNI-01 challenge by default. Ouch…
Even though we were at the end of a release cycle (1.5.0-rc4 was already out), we decided to push a new release candidate in emergency to add
HTTP-01 challenge support. This fix was big enough to end in the new 1.5 and not as a bug fix on 1.4 branch. Users will need to enable it with the new
Few months ago, we created a proposal in which we came up with the idea of collecting stats from running Traefik instances:
As you may know, the Traefik core development team is quite small and as with a lot of open source projects, we lack time and resources. As a consequence, we have to carefully choose which tasks and features need our attention. As a result, we usually invest our time on features needed or requested by most of the community. In order to efficiently do this, we have to know how our community uses Traefik.
As this is a super sensitive topic, we preferred to open a public debate, and build a transparent and trusted solution with the community. We are excited to say that we quickly reached a consensus, and Ludovic Fernandez successfully implemented a safe configuration export mechanism.
We chose to make it opt-in, which means that no data will be sent without enabling this feature. If enabled, only anonymous configuration options will be sent to a collecting server.
We really hope that all of our efforts will pay off, and that you will help us improve Traefik enabling this feature in your infrastructure:
sendAnonymousUsage = true
We invite you to read the constructive discussion that led to this new feature and the documentation to get more details. Many thanks to the community for its positive feedback!
Dynamic TLS Certificates
Nicolas Mengin did a great job at making TLS certificates management dynamic. You can now add or remove TLS certificates while Traefik is started! In addition to
frontends, there is now a dedicated
tls section in the dynamic configuration. Let’s declare two new certificates using the file provider, you can now add a new
tls section in your TOML:
[frontends] ... [backends] ... # HTTPS certificates [[tls]] entryPoints = ["https"] [tls.certificate] certFile = "path/to/my.cert" keyFile = "path/to/my.key" [[tls]] entryPoints = ["https"] [tls.certificate] certFile = "path/to/my/other.cert" keyFile = "path/to/my/other.key"
Each change of this file will make Traefik reload its TLS certificates. You can also split your configuration into multiple files if you prefer.
[frontends] [frontends.frontend1] entrypoints = ["http"] backend = "backend1" [frontends.frontend1.routes.test_1] rule = "Path:/" [frontends.frontend1.ratelimit] extractorfunc = "client.ip" [frontends.frontend1.ratelimit.rateset.rateset1] period = "10s" average = 100 burst = 200 [frontends.frontend1.ratelimit.rateset.rateset2] period = "3s" average = 5 burst = 10
In the above example,
frontend1is configured to limit requests by the client’s ip address. An average of 5 requests every 3 seconds is allowed and an average of 100 requests every 10 seconds. These can “burst” up to 10 and 200 in each period respectively.
Azure Service Fabric Support
Azure Service Fabric is a distributed systems platform that makes it easy to package, deploy, and manage scalable and reliable microservices and containers.
This new provider uses labels to configure how services are exposed through Traefik using the services
Have a look at the documentation, we will give more update on this soon!
In A Nutshell
Daniel Tomcej added Kubernetes annotations and Docker labels for security headers, Nicolas Mengin added support to etcd v3, our great Manuel Zapf implemented the redirection to another entryPoint per frontend. Thanks to Aditya C S, Traefik can now export its metrics to InfluxDB. Michael Matur and Ludovic Fernandez did a great job adding multi-versioning to our documentation (from https://docs.traefik.io/v1.0 to http://docs.traefik.io/v1.5). Julien Salleyron refactored the web provider into API/Dashboard, ping, metric and Rest Provider.
But that’s not all, check the whole changelog to get an idea of the awesome work that has been done on this release. Lots of bugs have been fixed and we also have been working on background refactoring tasks that will help us improving Traefik in future releases.
Grab the latest binary for Linux, Windows, Mac on Github or get the official Docker image!
docker pull traefik:v1.5.0 (or 1.5.0, v1.5, 1.5, cancoillotte) docker pull traefik:v1.5.0-alpine (or 1.5.0-alpine, v1.5-alpine, 1.5-alpine, cancoillotte-alpine)
The versioned documentation can be found on https://docs.traefik.io.
We are hiring developers and evangelists, try to solve our puzzle: containo.us/#jobs !
Traefik is still growing fast, we just passed 12k stars on Github and 42M downloads!
This is a companion discussion topic for the original entry at https://containo.us/blog/traefik-1-5-cancoillotte-is-here-7bd6713ae135/