Traefik v2.11 Proposal

nicomengin · November 9, 2023, 9:26am

Hello,

With some other Traefik maintainers, we're gearing up for a potential release of Traefik v2.11 and we wanted to loop you in on the action.

You can find more information in the dedicated Github proposal.

Don't hesitate to join the discussion.

bluepuma77 · November 9, 2023, 12:55pm

Thanks for the effort. So you want us to name the bugs and features that are close to our heart, which we would like to get delivered with v2.11?

I got some

github.com/traefik/traefik

Pass IP of ProxyProtocol host to HTTP headers

opened 07:26PM - 31 Aug 22 UTC

bluepuma77

kind/proposal area/server

### Welcome! - [X] Yes, I've searched similar issues on [GitHub](https://github….com/traefik/traefik/issues) and didn't find any. - [X] Yes, I've searched similar issues on the [Traefik community forum](https://community.traefik.io) and didn't find any. ### What did you expect to see? We run multiple Traefik instances behind a load balancer using ProxyProtocol. ``` entryPoints: web: address: :80 proxyProtocol: insecure: true http: redirections: entryPoint: to: websecure scheme: https websecure: address: :443 proxyProtocol: trustedIPs: - 1.2.3.4 - 5.6.7.8 ``` It would be great if Traefik could add the IP of the ProxyProtocol host to the HTTP headers, so our app can see which load balancer was used for the request. ``` Hostname: myhost IP: 127.0.0.1 IP: 10.0.16.28 IP: 172.19.0.5 RemoteAddr: 10.0.16.26:42274 GET / HTTP/1.1 Host: myhost.example.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate, br Upgrade-Insecure-Requests: 1 X-Forwarded-For: 67.78.89.90 X-Forwarded-Host: myhost.example.com X-Forwarded-Port: 443 X-Forwarded-Proto: https X-Forwarded-Server: myhost X-Forwarded-Proxy: 1.2.3.4 <==================== X-Real-Ip: 67.78.89.90 ```

github.com/traefik/traefik

Enable dynamic configuration for proxyProtocol.trustedIPs

opened 07:16AM - 27 Sep 22 UTC

closed 11:54AM - 28 Sep 22 UTC

bluepuma77

resolution/duplicate status/5-frozen-due-to-age

### Welcome! - [X] Yes, I've searched similar issues on [GitHub](https://github….com/traefik/traefik/issues) and didn't find any. - [X] Yes, I've searched similar issues on the [Traefik community forum](https://community.traefik.io) and didn't find any. ### What did you expect to see? It would be great to have `trustedIPs` as dynamic config, so when we add a load balancer we don't need to restart Traefik, but we can just update a dynamic configuration file for "zero downtime deployments". From the [Traefik EntryPoints docs](https://doc.traefik.io/traefik/routing/entrypoints/#proxyprotocol): ``` ## Static configuration entryPoints: web: address: ":80" proxyProtocol: trustedIPs: - "127.0.0.1/32" - "192.168.1.7" ```

github.com/traefik/traefik

Enable serverstransports and insecureskipverify on container labels

opened 02:14PM - 16 Dec 22 UTC

closed 06:14PM - 19 Dec 22 UTC

bluepuma77

resolution/duplicate status/5-frozen-due-to-age

### Welcome! - [X] Yes, I've searched similar issues on [GitHub](https://github….com/traefik/traefik/issues) and didn't find any. - [X] Yes, I've searched similar issues on the [Traefik community forum](https://community.traefik.io) and didn't find any. ### What did you expect to see? In our world of IT, security gets more and more important, even within networks. Services are compartmentalised, connections within are encrypted. Traefik can support this with loadbalancing to targets with custom TLS using [insecureskipverify](https://doc.traefik.io/traefik/routing/services/#insecureskipverify). The current challenge is that `insecureskipverify` can not just be enabled for a loadbalancer via Docker container labels, but it needs to be defined within a `servertransport`, which then needs to be assigned. But the `servertransport` can not be created within labels, but it needs to come via `provider.file`, meaning you have an extra file to take care of and can not just use a single `docker-compose.yml`. Or you define a global `servertransport`, but then you can not verify any internal TLS. This feature request calls for enabling `servertransport` and `insecureskipverify` on Docker labels to make use easier, make our IT world a bit more secure and reduce the support requests in the Traffic community. Example how it should work: ``` version: '3.9' services: portainer: image: portainer/portainer-ce:2.16.2 volumes: - /etc/localtime:/etc/localtime:ro - portainer_data:/data networks: - proxy - agent_network labels: - traefik.enable=true - traefik.http.routers.portainer.rule=Host(`portainer.example.com`) - traefik.http.routers.portainer.tls.certresolver=myresolver - traefik.http.services.portainer.loadbalancer.passhostheader=true - traefik.http.services.portainer.loadbalancer.server.port=9443 - traefik.http.services.portainer.loadbalancer.serverstransport=mytransport - traefik.http.serverstransports.mytransport.insecureskipverify=true ``` Some Traefik community references: [1](https://community.traefik.io/t/insecureskipverify-how-to-apply-this-at-a-service-level-in-docker-compose/16155/4), [2](https://community.traefik.io/t/traefik-portainer-bad-certificate/16799/14), [3](https://community.traefik.io/t/servers-transport-not-found/11513), [4](https://community.traefik.io/t/insecureskipverify-true/11316/3)

github.com/traefik/traefik

Improve ForwardAuth documentation (method, body)

opened 09:12AM - 13 Jun 23 UTC

bluepuma77

kind/enhancement area/documentation priority/P3 contributor/wanted

### Welcome! - [X] Yes, I've searched similar issues on [GitHub](https://gith…ub.com/traefik/traefik/issues) and didn't find any. - [X] Yes, I've searched similar issues on the [Traefik community forum](https://community.traefik.io) and didn't find any. ### What did you expect to see? [Traefik ForwardAuth documentation](https://doc.traefik.io/traefik/middlewares/http/forwardauth/) is IMHO missing some information bits: 1. Will original request be forwarded with the same HTTP method or will they all be "converted" to GET? 2. If POSTs are forwarded as POSTs, how can the BODY be disabled? Nginx has `proxy_pass_request_body off;`

github.com/traefik/traefik

Allow configuring server URLs with label providers

opened 10:42PM - 02 Feb 22 UTC

firstdorsal

kind/proposal area/provider area/service

Hi i would love to have this possibility Configure traefik via label providers:… allow setting the `traefik.http.services.<service-name>.loadBalancer.server.url` for example in docker: ```yaml version: "3.7" services: rp: labels: traefik.http.routers.proxy.entryPoints: web traefik.http.routers.proxy.service: proxy-crt traefik.http.routers.proxy.rule: PathPrefix(`/proxy-crt`) traefik.http.routers.proxy.middlewares: strip-crt, cors-crt traefik.http.services.proxy.loadBalancer.server.url: ${A_URL_AS_VARIABLE} traefik.http.middlewares.strip.stripPrefix.prefixes: /proxy-crt traefik.http.middlewares.cors.headers.accessControlAllowMethods: GET,OPTIONS traefik.http.middlewares.cors.headers.accessControlAllowOriginlist: "*" traefik.http.middlewares.cors.headers.accessControlMaxAge: 86400 ``` I have seen this question: https://community.traefik.io/t/traefik-v2-with-docker-compose-external-services-possible/5792/2 I know that setting this exact configuration is possible with the file provider but as far as i know not with a variable. ```yaml http: routers: proxy: entryPoints: - web middlewares: - strip - cors service: proxy rule: PathPrefix(`/proxy`) services: proxy: loadBalancer: passHostHeader: false servers: - url: https://example.com # NOT CONTROLLABLE VIA VARIABLE middlewares: strip: stripPrefix: prefixes: - /proxy cors: headers: accessControlAllowMethods: GET,OPTIONS accessControlAllowOriginlist: "*" accessControlMaxAge: 86400 ``` A similar thing is possible with domain certs: ```yaml traefik.http.routers.myrouter.tls.domains[0].main: example.org ``` could then look like this: ```yaml traefik.http.services.proxy.loadBalancer.servers[0].url: ${A_URL_AS_VARIABLE} ```

In general it’s really annoying for new users to understand first static and dynamic config, and then learn that not all dynamic configs are created equal, as docker labels are missing some of the dynamic file functionality. But that’s probably for v3 or v4.

nicomengin · November 23, 2023, 10:14am

Hello @bluepuma77,

Thank you for the feedback.

After discussing the scope with many people, with the other maintainers, we've settled that it's better to release a light v2.11 to focus on v3.0.

In your propositions, I've seen a couple of issues are enhancements on which we'd love the community help.
If contributors open PRs addressing these topics, we'll gladly review them.

bluepuma77 · November 23, 2023, 2:18pm

Sadly I am no go developer, only JS and Python.

Why don’t you create some kind of Patreon (donation platform), where people can give a little money dedicated to bugs or features. That is then handed to developers.

Kind of intransparent to me is the development roadmap. There are Traefik employees, there are independent contributors, who is setting the priorities of what is implemented?

I am just interested as I am seeing with another open source tool, that pull requests are sitting unaccepted for multiple months, even though the community is interested.

Update: there is a related post

Topic		Replies	Views
Create HTTP header with source IP of ProxyProtocol? Traefik v2 tcp	1	461	September 2, 2022
Real IP and Host Header Traefik v2 docker , cli	9	19503	September 26, 2023
HTTP -> HTTPS redirection based on X-Forwarded-Proto Header Traefik v2 middleware	3	3752	November 15, 2019
Proxy Protocol trouble with haproxy and traefik Traefik v1 file	2	3979	November 23, 2019
How to use traefik to proxy a https request to an external server? Traefik v2 file	3	14682	February 19, 2022

Traefik v2.11 Proposal

Related topics