Merge pull request #785 from fabiolb/release/1.5.14

updating documentation for pending 1.5.14 release

CHANGELOG.md

@@ -1,5 +1,44 @@
 ## Changelog
 
+### [v1.6.14](https://github.com/fabiolb/fabio/releases/tag/v1.5.14) - 9 Sep 2020
+
+
+#### Bug Fixes
+
+* [PR #644](https://github.com/fabiolb/fabio/pull/644) - Better error handling (@danlsgiga)
+
+* [PR #739](https://github.com/fabiolb/fabio/pull/739) - Fix infinite buffering of SSE responses when gzip is enabled (@ctlajoie)
+
+* [PR #733](https://github.com/fabiolb/fabio/pull/733) - Add missing <svc> entry to example route (@BenjaminHerbert)
+
+* [PR #674](https://github.com/fabiolb/fabio/pull/674) - Deprecate deregisterCriticalServiceAfter option (@pschultz)
+
+* [PR #648](https://github.com/fabiolb/fabio/pull/648) - Issue #647 NormalizeHost (@murphymj25)
+
+* [Issue #737](https://github.com/fabiolb/fabio/issues/737) - Preserve table state by storing buffer table in fixed strings (@leprechau)
+
+* [PR #774](https://github.com/fabiolb/fabio/pull/774) - Documentation fixes (@Oxflotus)
+
+* [PR #775](https://github.com/fabiolb/fabio/pull/775) - fix typo in comments (@josgraha)
+
+* [PR #787](https://github.com/fabiolb/fabio/pull/787) - fix matchingHostNoGlob sometimes returns incorrect host (@nathanejohnson @leprechau)
+
+#### Improvements
+
+* [PR #626](https://github.com/fabiolb/fabio/pull/626): Add TCP Dynamic support (@murphymj25)
+
+* [PR #635](https://github.com/fabiolb/fabio/pull/635): Add idleTimeout to config and to serve.go HTTP server (@galen0624)
+
+* [PR #572](https://github.com/fabiolb/fabio/pull/572): Issue #558 - Add Polling Interval from Fabio to Consul to Fabio Config (@galen0624)
+
+* [PR #615](https://github.com/fabiolb/fabio/pull/615): Issue #554 - Added compiled glob matching using LRU Cache (@galen0624 @magiconair @leprechau)
+
+* [PR #715](https://github.com/fabiolb/fabio/pull/715): Add HTTP method and path to trace span operation name (@hobochili)
+
+* [PR #489](https://github.com/fabiolb/fabio/pull/489): Pass encoded characters in path unchanged (@valentin-krasontovitsch)
+
+* [PR #784](https://github.com/fabiolb/fabio/pull/784): Add https+tcp+sni listener support (@nathanejohnson)
+
 ### [v1.5.13](https://github.com/fabiolb/fabio/releases/tag/v1.5.13) - 18 Nov 2019
 
 #### Bug Fixes

Dockerfile-goreleaser

@@ -1,4 +1,4 @@
-FROM alpine:3.10
+FROM alpine:3.12
 RUN apk update && apk add --no-cache ca-certificates
 COPY fabio /usr/bin
 ADD fabio.properties /etc/fabio/fabio.properties

docs/content/faq/verifying-releases.md

@@ -7,6 +7,67 @@ and by verifying the checksums with a GPG key.
 
 You can verify the SHA256 checksums with the GPG key below.
 You can also download it from most key servers using the ID
+
+For fabio release 5.14 and newer:
+
+[`76462AB9B0C185ABC66FD98F59861FC4870361CA`](http://pgp.key-server.io/search/0x76462AB9B0C185ABC66FD98F59861FC4870361CA)
+
+    -----BEGIN PGP PUBLIC KEY BLOCK-----
+
+    mQINBF40mfQBEADHOlocoiOY66SLZtzJjCNKFeerYH2zHNU3sLK+sHp/76MUrPV4
+    uDG3T6a6QK0HUKLy/hxKh/wftNCOaSYTwNVbYJ1EYBnBEgxuKNM8K5xOCKjwWrXF
+    J80xoXBJXXmJvOFHEoWjUnDAMVUJyf3bt0sT0vOA5OTdbd2LhimDOpeIiO/umZKp
+    0ZsDcjUPUuIenqnKyk4UwAfXdWxrj2g5/But1n3nasvgtEtQg9CaSloh6Zgzcy+3
+    I+jpCn2FLOay+THABkM+XmjSYudkIFlqsZwkB2GxwTaRXENt8QUK7i4GWVCcPN6x
+    gYgIz9uLZQXkkxGZvasC5fUm/W6F0pyz1wUbbizhDuBhoez3XdJdhW8nWCT6rg5M
+    ejgkSVoG/fqoG9SoFXeTlQjZJSc8+0pTgWsqnuwmM+eFllvORSKS7uwBNg7jvFPv
+    4yLGCR5bGxTX7VM4XPkLR2pUF/nHmSohiGOWpqw+PRVwOWBBMi+r4c4SckR4MMOB
+    NK+KJTQnildsnqw/mvf98Op4GrAtD4MQDFRKD2TSIq60qFTe6MF77P50Z33r6x5x
+    CPN7XYTzZKPPiHf5uWtyOvH3V+vxHX2N0zAsRADXW+Jsly/Wwt0k8Km3beaF/Jvw
+    AFQwneh50L5Pv+Tb+8b6xS8gvIeGPgs4lcxRDxFEcFKN58OjtDelN212cQARAQAB
+    tCVhZG1pbkBmYWJpb2xiLm5ldCA8YWRtaW5AZmFiaW9sYi5uZXQ+iQJUBBMBCgA+
+    FiEEdkYqubDBhavGb9mPWYYfxIcDYcoFAl40mfQCGwMFCQk/xgAFCwkIBwMFFQoJ
+    CAsFFgIDAQACHgECF4AACgkQWYYfxIcDYcqCgQ/8CfH2EBmBlHB7jlI4nFu17fqV
+    WTXxhuo2UcTCQ3G8at32V27FZTFq64rtY7/QmY3HyHhdn77NXzIlLDsaD07IEBpw
+    GFf05V1vVm/Y+DB/3vmHr+bEP5bB4RZqYz+U1cSGTEg2S3sOuz416gJdoCFN8Lin
+    1fHRuGfZTJ2j2oQhUsYbt+GBpPm7xtpqK4yfCd4gT2vhDzbDG9QSLMrrLh/aA6Ya
+    IcZZCsXpnRPhfvPrp0LuIY9Lml+EaMfNxsoXYl2W5c+BpXG93ThSLKPc8XM/7e4A
+    CkRWNLKihVZNDmGCIy2FIFIV9YlEIhAAtZPhsUE3rnrIUgHETPYwDvAJB4pbJrLe
+    bwnRuWZlYNsPZp8W4RxbQVcHpsg+sWoyAkykWxs9FbxgXEGd0+wP5tumFquyfijg
+    eQLnsFU7KlQA+5Rh6ulrvzMNHFBYLoPa+U1soR6Jg0hCPhkzc+6tzTrmUCg7H7+i
+    49szuN2KZr6k5GR+f2p9mOlnHmjJSJVULtnBQJMfTEnqzszvw9OgO1j72x7hTVRO
+    UQSV6NXr0GFr293iTJS1x2/zFETCZelxVwbyp0t/psDz8nv6aXMcSjzcoWgmRRcP
+    zpfNidLLp3Ym9XKtz7kvPI/PRTsHoO+qw6H6Kw8jMxxIv5hApCI/YOt5GFBlXmZq
+    hBckyt1rS0kW5zQsStS5Ag0EXjSZ9AEQAMrim1LXqnqdMJlc6sj++TZgoLeYmtSI
+    4n/J1AGk9/BIumJKgCL5TPvUhz7HUWjhOqhtH/1/EyxPTI25Up7QcQKb0TYG/6Gn
+    3mIeBsvTdPZWmwq0e7aCrTSU8bYNnuMKAFxlPPG/lu7v1QQkaPgbEMOZI7cDA7V8
+    TLs/uQcAjGPdu2f2mJ/m+kgjeOwud+43CF4aI2/eVd39DqjjDrRImUc3OXypE4vW
+    PRq2ooSnS7VE0yU3QBubdPB8Y7x7R5bDE9fgLjZ9t//bSLgZfVzZoc7TvycH9opk
+    zr1LD4XEdZYFWc1h7++ci+f75/QQppPto3ItK61oUnpyO5J0Bl/Ay7086xU8b5Be
+    mPFDVMUE8SW2a+baaDKwbYUvImSI2CwNkCuYieGuAueMkY+Coe7AdaDhtuzINkby
+    e9ALGGbpRi/ByURQoW9akQt+ap7I8/bdp+IFYWT8K1HFogd5y0+TYaatpnT9jJYM
+    64GtnDhyD2ncyLNM1a7YOn4e+WWiK8datzn962VsaSXjAPKvVROkgLoedDU9oiDm
+    ITDZgcsyY6ATgYmzlN2Qm8ubig1adZdGWsWzv0d9Qj8AEzsPqRVrQ6Ofc/sNi5Y3
+    ELSOpWUOetbKEBFYe3oA2Bu6LOqd3lcKittWke3RMkehKFqxFdmBwjcrCtIjLicv
+    IemWK6rAAYmJABEBAAGJAjwEGAEKACYWIQR2Riq5sMGFq8Zv2Y9Zhh/EhwNhygUC
+    XjSZ9AIbDAUJCT/GAAAKCRBZhh/EhwNhyrzoEACe9SVpr6TaFvIcfcvj9d4FOmiK
+    Tgm64SEnYDDs6JhzD3p38Ut80d6y2vg9WUMUA3dhftbAyr/rqkZghiV3UhWJGPJm
+    AGWVG3p5TpSPCloFUlHHMWXCJm4UAoo75ud15PYD8CtUfOYc68A7a+9f+1dC5gRy
+    rVjBltWshsai+CjksRlg64wGMvJL7ghcsGoxFOzU/khGvo5JZ3OzObscYLxBKPnY
+    sUPerHnKB63CYxNfkd2aziapE7zXqoN1ZAFKwsBp38CiuBIT+8bb6+vAy9azfW/J
+    mGqjn4vfBUpdTsPbRRRI3CAoUN8R5QqVCCzV6hcv2p921ZWNpO0QxaHJYq0W3mwH
+    ls5eJOWJwx3qZ8ZB84fnuUb1YhzNjOSJDjgE8ZJ1iHf+ZTpqNRNbsyshfPcI5FYR
+    /PKPXTGNTeTFAXiQ/UjxFK/UEVWs3mDfqtyvC+Z5s7jCGabPwoOvWeHGMHUWWZRv
+    NU+TL+pUMWY29wKsDsk7zriokCDApNnJJb52/tIzk/XHMLPBjGSoYinKYMALYbAp
+    6UvSeJ6cJ/+5vwXJadMyiYrsPPQiuVCUfVg6KcX6B/+2MaKoyY3s8DaZ1vFdtZcg
+    1tjLI383GOEuDGfUDOgrlTikgpxbT2q4Zq80aQhPD8mMlpqdTO4UWfvwwx0FPH04
+    5xVKlvTztaHhtaWHkg==
+    =b3Un
+    -----END PGP PUBLIC KEY BLOCK-----
+
+
+For release 5.13 and older:
+
 [`D8B19A29317E92E470D7CD67021E03CADDA53977`](http://pgp.key-server.io/search/0xD8B19A29317E92E470D7CD67021E03CADDA53977)
 
 
@@ -78,18 +139,18 @@ For example:
 
 ```
 # This is the public key from above - one-time step.
-gpg --import magiconair.asc
+gpg --import fabiolb.asc
 
 # Download the binary and signature files.
-curl -OsL https://github.com/eBay/fabio/releases/download/v1.3.2/fabio-1.3.2-go1.7.1_linux-amd64
-curl -OsL https://github.com/eBay/fabio/releases/download/v1.3.2/fabio-1.3.2.sha256
-curl -OsL https://github.com/eBay/fabio/releases/download/v1.3.2/fabio-1.3.2.sha256.sig
+curl -OsL https://github.com/fabiolb/fabio/releases/download/v1.5.14/fabio-1.5.14-go1.7.1_linux-amd64
+curl -OsL https://github.com/fabiolb/fabio/releases/download/v1.5.14/fabio-1.5.14.sha256
+curl -OsL https://github.com/fabiolb/fabio/releases/download/v1.5.14/fabio-1.5.14.sha256.sig
 
 # Verify the signature file is untampered.
-gpg --verify fabio-1.3.2.sha256.sig fabio-1.3.2.sha256
+gpg --verify fabio-1.5.14.sha256.sig fabio-1.5.14.sha256
 
 # Verify the SHASUM matches the binary.
-shasum -a 256 -c fabio-1.3.2.sha256
+shasum -a 256 -c fabio-1.5.14.sha256
 ```
 
 ## Note

docs/content/feature/_index.md

@@ -20,6 +20,7 @@ The following list provides a list of features supported by fabio.
  * [Server-Sent Events/SSE](/feature/sse/) - support for Server-Sent Events/SSE
  * [TCP Proxy Support](/feature/tcp-proxy/) - raw TCP proxy support
  * [TCP-SNI Proxy Support](/feature/tcp-sni-proxy/) - forward TLS connections based on hostname without re-encryption
+ * [HTTPS TCP-SNI Proxy Support](/feature/https-tcp-sni-proxy/) - forward TLS connections based on hostname without re-encryption, or fallback to fabio terminating TLS and path routing as a fallback
  * [Traffic Shaping](/feature/traffic-shaping/) - forward N% of traffic upstream without knowing the number of instances
  * [Web UI](/feature/web-ui/) - web ui to examine the current routing table
  * [Websocket Support](/feature/websockets/) - websocket support

docs/content/feature/https-tcp-sni-proxy.md

@@ -0,0 +1,24 @@
+---
+title: "HTTPS TCP-SNI Proxy"
+since: "1.5.14"
+---
+
+fabio can run a TCP+SNI routing proxy on a listener, and have fallback to https functionality.
+ This is effectively an amalgam of the TCP-SNI Proxy and the HTTPS functionality.
+
+ To enable this feature configure a listener as follows:
+
+ ```
+ fabio -proxy.addr=':443;proto=https+tcp+sni;cs=somecertstore'
+ ```
+
+For host matches that are proto=tcp or have a scheme of tcp://, this will proxy TCP using SNI.
+
+You would register your service in [Consul](https://consul.io) with a `urlprefix-` tag that
+matches the host from the SNI extension for any services that should be proxied TCP (TLS
+terminated by upstream).  If the upstream service you'd like to proxy TCP responds to
+`https://foo.com/...` then you should register a `urlprefix-foo.com/ proto=tcp` tag for this
+service.
+
+For path based matching, you would do the typical `urlprefix-/path/` and this would cause
+fabio to terminate TLS using the cs= line specified in the config.

docs/content/ref/proxy.addr.md

@@ -22,6 +22,8 @@ The supported protocols are:
 * `grpcs` for GRPC+TLS based protocols
 * `tcp` for a raw TCP proxy with or witout TLS support
 * `tcp+sni` for an SNI aware TCP proxy
+* `tcp-dynamic` for a consul driven TCP proxy
+* `https+tcp+sni` for an SNI aware TCP proxy with https fallthrough
 
 If no `proto` option is specified then the protocol
 is either `http` or `https` depending on whether a
@@ -56,8 +58,8 @@ to the destination without decrypting the traffic.
   http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
 
 * `pxytimeout`: Sets PROXY protocol header read timeout as a duration (e.g. '250ms').
-  This defaults to 250ms if not set when 'pxyproto' is enabled.
-
+  This defaults to 250ms if not set when `pxyproto` is enabled.
+* `refresh`: Sets the refresh interval to check the route table for updates. Used when `tcp-dynamic` is enabled.
 #### TLS options
 
 * `tlsmin`: Sets the minimum TLS version for the handshake. This value
@@ -104,6 +106,12 @@ to the destination without decrypting the traffic.
     # TCP listener on port 443 with SNI routing
     proxy.addr = :443;proto=tcp+sni
 
+    # TCP listener on port 443 with SNI routing with HTTPS fallthrough
+    proxy.addr = :443;proto=https+tcp+sni;cs=some-name
+
+    # TCP listeners using consul for config with 5 second refresh interval
+    proxy.addr = 0.0.0.0:0;proto=tcp-dynamic;refresh=5s
+
 The default is
 
     proxy.addr = :9999