Merge v1.5.2 into master

CHANGELOG.md

@@ -1,5 +1,26 @@
 # Change Log
 
+## [v1.5.2](https://github.com/containous/traefik/tree/v1.5.2) (2018-02-12)
+[All Commits](https://github.com/containous/traefik/compare/v1.5.1...v1.5.2)
+
+**Bug fixes:**
+- **[acme,cluster,kv]** Compress ACME certificates in KV stores. ([#2814](https://github.com/containous/traefik/pull/2814) by [nmengin](https://github.com/nmengin))
+- **[acme]** Traefik still start when Let's encrypt is down ([#2794](https://github.com/containous/traefik/pull/2794) by [Juliens](https://github.com/Juliens))
+- **[docker]** Fix dnsrr endpoint mode excluded when not using swarm LB ([#2795](https://github.com/containous/traefik/pull/2795) by [mmatur](https://github.com/mmatur))
+- **[eureka]** Continue refresh the configuration after a failure. ([#2838](https://github.com/containous/traefik/pull/2838) by [ldez](https://github.com/ldez))
+- **[logs]** Reduce oxy round trip logs to debug. ([#2821](https://github.com/containous/traefik/pull/2821) by [timoreimann](https://github.com/timoreimann))
+- **[websocket]** Fix goroutine leaks in websocket ([#2825](https://github.com/containous/traefik/pull/2825) by [Juliens](https://github.com/Juliens))
+- Hide the pflag error when displaying help. ([#2800](https://github.com/containous/traefik/pull/2800) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[docker]** Explain how to write entrypoints definition in a compose file ([#2834](https://github.com/containous/traefik/pull/2834) by [mmatur](https://github.com/mmatur))
+- **[docker]** Fix typo ([#2813](https://github.com/containous/traefik/pull/2813) by [uschtwill](https://github.com/uschtwill))
+- **[k8s]** typo in "i"ngress annotations. ([#2780](https://github.com/containous/traefik/pull/2780) by [RRAlex](https://github.com/RRAlex))
+- Clarify how setting a frontend priority works ([#2818](https://github.com/containous/traefik/pull/2818) by [sirlatrom](https://github.com/sirlatrom))
+- Fixed typo. ([#2811](https://github.com/containous/traefik/pull/2811) by [sonus21](https://github.com/sonus21))
+- Docs: regex+replacement hints for URL rewriting ([#2802](https://github.com/containous/traefik/pull/2802) by [djeeg](https://github.com/djeeg))
+- Add documentation about entry points definition with CLI. ([#2798](https://github.com/containous/traefik/pull/2798) by [ldez](https://github.com/ldez))
+
 ## [v1.5.1](https://github.com/containous/traefik/tree/v1.5.1) (2018-01-29)
 [All Commits](https://github.com/containous/traefik/compare/v1.5.0...v1.5.1)
 

CONTRIBUTING.md

@@ -87,9 +87,11 @@ If you happen to update the provider templates (in `/templates`), you need to ru
 
 [dep](https://github.com/golang/dep) is not required for building; however, it is necessary to modify dependencies (i.e., add, update, or remove third-party packages)
 
+You need to use [dep](https://github.com/golang/dep) >= O.4.1.
+
 If you want to add a dependency, use `dep ensure -add` to have [dep](https://github.com/golang/dep) put it into the vendor folder and update the dep manifest/lock files (`Gopkg.toml` and `Gopkg.lock`, respectively).
 
-A following `make prune-dep` run should be triggered to trim down the size of the vendor folder.
+A following `make dep-prune` run should be triggered to trim down the size of the vendor folder.
 The final result must be committed into VCS.
 
 Here's a full example using dep to add a new dependency:

Gopkg.toml

@@ -156,6 +156,10 @@
   branch = "master"
   name = "github.com/stvp/go-udp-testing"
 
+[[constraint]]
+  name = "github.com/stretchr/testify"
+  version = "1.2.1"
+
 [[constraint]]
   name = "github.com/uber/jaeger-client-go"
   version = "2.9.0"
@@ -233,3 +237,8 @@
   # ALWAYS keep this override
   name = "github.com/mailgun/timetools"
   revision = "7e6055773c5137efbeb3bd2410d705fe10ab6bfd"
+
+[prune]
+  non-go = true
+  go-tests = true
+  unused-packages = true

Makefile

@@ -127,7 +127,11 @@ fmt:
 pull-images:
 	grep --no-filename -E '^\s+image:' ./integration/resources/compose/*.yml | awk '{print $$2}' | sort | uniq  | xargs -P 6 -n 1 docker pull
 
-prune-dep:
+dep-ensure:
+	dep ensure -v
+	./script/prune-dep.sh
+
+dep-prune:
 	./script/prune-dep.sh
 
 help: ## this help

build.Dockerfile

@@ -11,15 +11,13 @@ RUN go get github.com/containous/go-bindata/... \
 
 # Which docker version to test on
 ARG DOCKER_VERSION=17.03.2
-ARG DEP_VERSION=0.3.2
+ARG DEP_VERSION=0.4.1
 
 # Download dep binary to bin folder in $GOPATH
 RUN mkdir -p /usr/local/bin \
     && curl -fsSL -o /usr/local/bin/dep https://github.com/golang/dep/releases/download/v${DEP_VERSION}/dep-linux-amd64 \
     && chmod +x /usr/local/bin/dep
 
-
-
 # Download docker
 RUN mkdir -p /usr/local/bin \
     && curl -fL https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKER_VERSION}-ce.tgz \

docs/configuration/acme.md

@@ -165,9 +165,26 @@ storage = "acme.json"
 # ...
 ```
 
-File or key used for certificates storage.
+The `storage` option sets where are stored your ACME certificates.
 
-**WARNING:** If you use Træfik in Docker, you have 2 options:
+There are two kind of `storage` :
+- a JSON file,
+- a KV store entry.
+
+!!! danger "DEPRECATED"
+    `storage` replaces `storageFile` which is deprecated.
+
+!!! note
+    During Træfik configuration migration from a configuration file to a KV store (thanks to `storeconfig` subcommand as described [here](/user-guide/kv-config/#store-configuration-in-key-value-store)), if ACME certificates have to be migrated too, use both `storageFile` and `storage`.
+
+    - `storageFile` will contain the path to the `acme.json` file to migrate.
+    - `storage` will contain the key where the certificates will be stored.
+
+#### Store data in a file
+
+ACME certificates can be stored in a JSON file which with the `600` right mode. 
+
+There are two ways to store ACME certificates in a file from Docker:
 
 - create a file on your host and mount it as a volume:
 ```toml
@@ -176,7 +193,6 @@ storage = "acme.json"
 ```bash
 docker run -v "/my/host/acme.json:acme.json" traefik
 ```
-
 - mount the folder containing the file as a volume
 ```toml
 storage = "/etc/traefik/acme/acme.json"
@@ -185,14 +201,24 @@ storage = "/etc/traefik/acme/acme.json"
 docker run -v "/my/host/acme:/etc/traefik/acme" traefik
 ```
 
-!!! note
-    `storage` replaces `storageFile` which is deprecated.
+!!! warning
+    This file cannot be shared per many instances of Træfik at the same time.
+    If you have to use Træfik cluster mode, please use [a KV Store entry](/configuration/acme/#storage-kv-entry).
 
-!!! note
-    During Træfik configuration migration from a configuration file to a KV store (thanks to `storeconfig` subcommand as described [here](/user-guide/kv-config/#store-configuration-in-key-value-store)), if ACME certificates have to be migrated too, use both `storageFile` and `storage`.
+#### Store data in a KV store entry
 
-    - `storageFile` will contain the path to the `acme.json` file to migrate.
-    - `storage` will contain the key where the certificates will be stored.
+ACME certificates can be stored in a KV Store entry.
+
+```toml
+storage = "traefik/acme/account"
+```
+
+**This kind of storage is mandatory in cluster mode.**
+
+Because KV stores (like Consul) have limited entries size, the certificates list is compressed before to be set in a KV store entry.
+
+!!! note
+    It's possible to store up to approximately 100 ACME certificates in Consul.
 
 ### `acme.httpChallenge`
 
@@ -288,7 +314,7 @@ Useful if internal networks block external DNS queries.
 
 ### `onDemand` (Deprecated)
 
-!!! warning
+!!! danger "DEPRECATED"
     This option is deprecated.
 
 ```toml
@@ -365,12 +391,12 @@ Each domain & SANs will lead to a certificate request.
 
 ### `dnsProvider` (Deprecated)
 
-!!! warning
+!!! danger "DEPRECATED"
     This option is deprecated.
     Please refer to [DNS challenge provider section](/configuration/acme/#provider)
 
 ### `delayDontCheckDNS` (Deprecated)
 
-!!! warning
+!!! danger "DEPRECATED"
     This option is deprecated.
     Please refer to [DNS challenge delayBeforeCheck section](/configuration/acme/#delaybeforecheck)

docs/configuration/entrypoints.md

@@ -79,7 +79,23 @@ For more information about the CLI, see the documentation about [Traefik command
     Whitespace is used as option separator and `,` is used as value separator for the list.  
     The names of the options are case-insensitive.
 
-All available options:
+In compose file the entrypoint syntax is different:
+
+```yaml
+traefik:
+    image: traefik
+    command:
+        - --defaultentrypoints=powpow
+        - "--entryPoints=Name:powpow Address::42 Compress:true"
+```
+or
+```yaml
+traefik:
+    image: traefik
+    command: --defaultentrypoints=powpow --entryPoints='Name:powpow Address::42 Compress:true'
+```
+
+#### All available options:
 
 ```ini
 Name:foo
@@ -223,9 +239,8 @@ In the example below both `snitest.com` and `snitest.org` will require client ce
 ```
 
 !!! note
-
-The deprecated argument `ClientCAFiles` allows adding Client CA files which are mandatory.
-If this parameter exists, the new ones are not checked.
+    The deprecated argument `ClientCAFiles` allows adding Client CA files which are mandatory.
+    If this parameter exists, the new ones are not checked.
 
 ## Authentication
 

docs/user-guide/cluster-docker-consul.md

@@ -94,8 +94,8 @@ services:
     image: traefik:1.5
     command:
       - "--api"
-      - "--entrypoints='Name:http Address::80 Redirect.EntryPoint:https'"
-      - "--entrypoints='Name:https Address::443 TLS'"
+      - "--entrypoints=Name:http Address::80 Redirect.EntryPoint:https"
+      - "--entrypoints=Name:https Address::443 TLS"
       - "--defaultentrypoints=http,https"
       - "--acme"
       - "--acme.storage=/etc/traefik/acme/acme.json"
@@ -204,8 +204,8 @@ services:
     command:
       - "storeconfig"
       - "--api"
-      - "--entrypoints='Name:http Address::80 Redirect.EntryPoint:https'"
-      - "--entrypoints='Name:https Address::443 TLS'"
+      - "--entrypoints=Name:http Address::80 Redirect.EntryPoint:https"
+      - "--entrypoints=Name:https Address::443 TLS"
       - "--defaultentrypoints=http,https"
       - "--acme"
       - "--acme.storage=traefik/acme/account"

docs/user-guide/cluster.md

@@ -23,3 +23,11 @@ A Træfik cluster is based on a manager/worker model.
 
 When starting, Træfik will elect a manager.
 If this instance fails, another manager will be automatically elected.
+
+## Træfik cluster and Let's Encrypt
+
+**In cluster mode, ACME certificates have to be stored in [a KV Store entry](/configuration/acme/#storage-kv-entry).**
+
+Thanks to the Træfik cluster mode algorithm (based on [the Raft Consensus Algorithm](https://raft.github.io/)), only one instance will contact Let's encrypt to solve the challenges.
+
+The others instances will get ACME certificate from the KV Store entry.

examples/acme/compose-acme.yml

@@ -29,6 +29,8 @@ services :
         - bhsm
         - bmysql
         - brabbitmq
+      volumes:
+        - "./rate-limit-policies.yml:/go/src/github.com/letsencrypt/boulder/test/rate-limit-policies.yml:ro"
 
   bhsm:
       image: letsencrypt/boulder-tools:2016-11-02

examples/acme/rate-limit-policies.yml

@@ -0,0 +1,42 @@
+totalCertificates:
+  window: 1h
+  threshold: 100000
+certificatesPerName:
+  window: 1h
+  threshold: 100000
+  overrides:
+    ratelimit.me: 1
+    lim.it: 0
+    # Hostnames used by the letsencrypt client integration test.
+    le.wtf: 10000
+    le1.wtf: 10000
+    le2.wtf: 10000
+    le3.wtf: 10000
+    nginx.wtf: 10000
+    good-caa-reserved.com: 10000
+    bad-caa-reserved.com: 10000
+    ecdsa.le.wtf: 10000
+    must-staple.le.wtf: 10000
+  registrationOverrides:
+    101: 1000
+registrationsPerIP:
+  window: 1h
+  threshold: 100000
+  overrides:
+    127.0.0.1: 1000000
+pendingAuthorizationsPerAccount:
+  window: 1h
+  threshold: 100000
+certificatesPerFQDNSet:
+  window: 1h
+  threshold: 100000
+  overrides:
+    le.wtf: 10000
+    le1.wtf: 10000
+    le2.wtf: 10000
+    le3.wtf: 10000
+    le.wtf,le1.wtf: 10000
+    good-caa-reserved.com: 10000
+    nginx.wtf: 10000
+    ecdsa.le.wtf: 10000
+    must-staple.le.wtf: 10000

examples/cluster/docker-compose.yml

@@ -73,6 +73,8 @@ services:
         - bhsm
         - bmysql
         - brabbitmq
+      volumes:
+        - "./rate-limit-policies.yml:/go/src/github.com/letsencrypt/boulder/test/rate-limit-policies.yml:ro"
       networks:
         net:
           ipv4_address: 10.0.1.3