On the heels of our announcement last week regarding the new release candidate of Traefik 3.0, we are excited to bring to you Traefik Proxy 2.11, an important update to the 2.x branch underscoring our ongoing commitment to support this branch based on continuous feedback from the community and our customers.
In a nutshell, Traefik Proxy 2.11 extends Redis support to Redis Sentinel, is more efficient dealing with open connections, is safer with sticky cookies, and adds a migration path to Go 1.22, along with several bug fixes.
Let's dig deeper into this latest release and the details of your new features and how to use them.
Redis Sentinel Support
Traefik Proxy has a unique configuration model that allows runtime changes to its dynamic configuration, so you can maintain high availability without dropping open connections by an unnecessary full proxy reload. From the multiple providers available, the Redis provider has been around since Traefik Proxy v2.2.
This release adds support to Redis Sentinel (PR#10245), which provides high availability for Redis when not using Redis Cluster. One of our Traefik Enterprise customers uses it for storing OIDC tokens, which we thought could could benefit the wider community, so we brought it to the open-source version.
Open Connections Improved
Before Traefik Proxy v2.11, HTTP connections would stay open until clients closed them. This behavior could lead to more open connections and higher memory usage. Furthermore, when coupling Traefik Proxy with an upstream Load Balancer, this connection management method prevented an efficient traffic distribution when scaling up Traefik Proxy instances. The Load Balancer would stick to the same instance rather than ensuring a more even traffic distribution by sending requests to the newest instances.
To tackle this, we’ve introduced two new transport options for entrypoints (PR#10247). You can use both options together or choose one or the other:
- keepAliveMaxRequests: limits the number of requests each client can make within one connection. Whenever a client sends a request within an open connection, if this request number exceeds the
keepAliveMaxRequests
threshold, Traefik Proxy will ask for a connection close (sends headerConnection:close
). - keepAliveMaxTime: limits the time a client can keep reusing the same connection for its requests. Whenever a client sends a request within an open connection, if the elapsed time between the first and current requests exceeds the
keepAliveMaxTime
threshold, Traefik Proxy will ask for a connection close (sends headerConnection:close
).
Encryption of Weighted Round Robin (WRR) Sticky Cookie Content
Load balancing is a big topic in networking, we even have a free Traefik Academy video course on it if you want to learn more about the ins and outs of load balancing. There are different ways to achieve it, Weighted Round Robin (WRR) is one of them. With the File or IngressRoute providers, you can assign weights to services and let Traefik Proxy load balance the requests between these available services based on the weights.
When using WRR, a sticky session cookie is used to let the client know which server handles the first response. On subsequent requests, the client should send the cookie with the value set to keep the session alive with the same server. However, the contents of this cookie were previously not encrypted, which could expose the internal IP address of the proxied service.
We’ve listened to the community's voice and provided a fix (PR#10243) to hash the contents of the WRR sticky cookies. This way, it’s not possible anymore to deduct information about the server handling the request.
Other Changes
- The / character in router names can now be used through URL encoding/decoding the YAML keys. This change helps avoid 404 errors on the dashboard for aptly named routers (PR#10292).
- The ReadHeaderTimeout has been fixed for PROXY protocol by using the ReadTimeout configured on the entrypoint (PR#10320).
- We have fixed Kerberos and NTLM authentication with IIS server by “sticking” to the TCP connection with the backend for a single client TCP Connection when it’s necessary (PR#10405).
- The middleware IPWhiteList has been deprecated in favor of the new IPAllowList middleware (PR#10249).
- The Go library used has been updated to take advantage of the new features embedded in Go v1.22 as well as benefiting from security fixes until Go 1.24. This update impacts both the cipher suites and TLS minimum version management, for more information, please read the migration notes.
- Our documentation’s readability, wording, formatting, link accessibility, and examples have also been improved.
Wrapping It Up
With 2.11, Traefik is smarter, safer, more efficient, and future proof. We want to thank all community members who gave feedback, asked questions and challenged the team. This makes Traefik much better.
If you are interested in contributing to Traefik Proxy, join us on GitHub, where you can request features/enhancements, help us design the next version, or even get your hands dirty by creating or reviewing pull requests. For more information, check out the Release Notes and updated Docs. If you have questions, pop over to our Community Forum, where you can work with other community members to find your answers. And as always, we look forward to your feedback.
This is a companion discussion topic for the original entry at https://traefik.io/blog/announcing-traefik-proxy-v2-11