Merge v1.6.1 into master

CHANGELOG.md

@@ -1,5 +1,20 @@
 # Change Log
 
+## [v1.6.1](https://github.com/containous/traefik/tree/v1.6.1) (2018-05-14)
+[All Commits](https://github.com/containous/traefik/compare/v1.6.0...v1.6.1)
+
+**Bug fixes:**
+- **[acme]** Add missing deprecation info in CLI help. ([#3291](https://github.com/containous/traefik/pull/3291) by [ldez](https://github.com/ldez))
+- **[docker,marathon,rancher]** Fix segment backend name ([#3317](https://github.com/containous/traefik/pull/3317) by [ldez](https://github.com/ldez))
+- **[logs,middleware]** Error when accesslog and error pages ([#3314](https://github.com/containous/traefik/pull/3314) by [ldez](https://github.com/ldez))
+- **[middleware,tracing]** Fix wrong tag in forward span in tracing middleware ([#3279](https://github.com/containous/traefik/pull/3279) by [mmatur](https://github.com/mmatur))
+- **[webui]** Fix webui ([#3299](https://github.com/containous/traefik/pull/3299) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[k8s]** Add Documentation update for Kubernetes Ingress ([#3294](https://github.com/containous/traefik/pull/3294) by [dtomcej](https://github.com/dtomcej))
+- **[tls]** Enhance entry point TLS CLI reference. ([#3290](https://github.com/containous/traefik/pull/3290) by [ldez](https://github.com/ldez))
+- Typo in documentation ([#3261](https://github.com/containous/traefik/pull/3261) by [blakethepatton](https://github.com/blakethepatton))
+
 ## [v1.6.0](https://github.com/containous/traefik/tree/v1.6.0) (2018-04-30)
 [Commits](https://github.com/containous/traefik/compare/v1.5.0-rc1...v1.6.0)
 [Commits pre RC](https://github.com/containous/traefik/compare/v1.5.0-rc1...v1.6.0-rc1)

README.md

@@ -14,7 +14,7 @@
 
 Træfik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy.
 Træfik integrates with your existing infrastructure components ([Docker](https://www.docker.com/), [Swarm mode](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io), [Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Rancher](https://rancher.com), [Amazon ECS](https://aws.amazon.com/ecs), ...) and configures itself automatically and dynamically.
-Telling Træfik where your orchestrator is could be the _only_ configuration step you need to do.
+Pointing Træfik at your orchestrator should be the _only_ configuration step you need.
 
 ---
 

acme/acme.go

@@ -41,15 +41,15 @@ type ACME struct {
 	Email                 string                      `description:"Email address used for registration"`
 	Domains               []types.Domain              `description:"SANs (alternative domains) to each main domain using format: --acme.domains='main.com,san1.com,san2.com' --acme.domains='main.net,san1.net,san2.net'"`
 	Storage               string                      `description:"File or key used for certificates storage."`
-	StorageFile           string                      // deprecated
-	OnDemand              bool                        `description:"Enable on demand certificate generation. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate."` //deprecated
+	StorageFile           string                      // Deprecated
+	OnDemand              bool                        `description:"(Deprecated) Enable on demand certificate generation. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate."` //deprecated
 	OnHostRule            bool                        `description:"Enable certificate generation on frontends Host rules."`
 	CAServer              string                      `description:"CA server to use."`
 	EntryPoint            string                      `description:"Entrypoint to proxy acme challenge to."`
 	DNSChallenge          *acmeprovider.DNSChallenge  `description:"Activate DNS-01 Challenge"`
 	HTTPChallenge         *acmeprovider.HTTPChallenge `description:"Activate HTTP-01 Challenge"`
-	DNSProvider           string                      `description:"Activate DNS-01 Challenge (Deprecated)"`                                                       // deprecated
-	DelayDontCheckDNS     flaeg.Duration              `description:"Assume DNS propagates after a delay in seconds rather than finding and querying nameservers."` // deprecated
+	DNSProvider           string                      `description:"(Deprecated) Activate DNS-01 Challenge"`                                                                    // Deprecated
+	DelayDontCheckDNS     flaeg.Duration              `description:"(Deprecated) Assume DNS propagates after a delay in seconds rather than finding and querying nameservers."` // Deprecated
 	ACMELogging           bool                        `description:"Enable debug logging of ACME actions."`
 	client                *acme.Client
 	defaultCertificate    *tls.Certificate

configuration/configuration.go

@@ -105,13 +105,13 @@ type GlobalConfiguration struct {
 
 // WebCompatibility is a configuration to handle compatibility with deprecated web provider options
 type WebCompatibility struct {
-	Address    string            `description:"Web administration port" export:"true"`
-	CertFile   string            `description:"SSL certificate" export:"true"`
-	KeyFile    string            `description:"SSL certificate" export:"true"`
-	ReadOnly   bool              `description:"Enable read only API" export:"true"`
-	Statistics *types.Statistics `description:"Enable more detailed statistics" export:"true"`
-	Metrics    *types.Metrics    `description:"Enable a metrics exporter" export:"true"`
-	Path       string            `description:"Root path for dashboard and API" export:"true"`
+	Address    string            `description:"(Deprecated) Web administration port" export:"true"`
+	CertFile   string            `description:"(Deprecated) SSL certificate" export:"true"`
+	KeyFile    string            `description:"(Deprecated) SSL certificate" export:"true"`
+	ReadOnly   bool              `description:"(Deprecated) Enable read only API" export:"true"`
+	Statistics *types.Statistics `description:"(Deprecated) Enable more detailed statistics" export:"true"`
+	Metrics    *types.Metrics    `description:"(Deprecated) Enable a metrics exporter" export:"true"`
+	Path       string            `description:"(Deprecated) Root path for dashboard and API" export:"true"`
 	Auth       *types.Auth       `export:"true"`
 	Debug      bool              `export:"true"`
 }

configuration/entrypoints_test.go

@@ -174,7 +174,7 @@ func TestEntryPoints_Set(t *testing.T) {
 			name: "all parameters camelcase",
 			expression: "Name:foo " +
 				"Address::8000 " +
-				"TLS:goo,gii " +
+				"TLS:goo,gii;foo,fii " +
 				"TLS " +
 				"TLS.MinVersion:VersionTLS11 " +
 				"TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA " +
@@ -211,6 +211,10 @@ func TestEntryPoints_Set(t *testing.T) {
 							CertFile: tls.FileOrContent("goo"),
 							KeyFile:  tls.FileOrContent("gii"),
 						},
+						{
+							CertFile: tls.FileOrContent("foo"),
+							KeyFile:  tls.FileOrContent("fii"),
+						},
 					},
 					ClientCA: tls.ClientCA{
 						Files:    []string{"car"},
@@ -280,7 +284,7 @@ func TestEntryPoints_Set(t *testing.T) {
 			name: "all parameters lowercase",
 			expression: "Name:foo " +
 				"address::8000 " +
-				"tls:goo,gii " +
+				"tls:goo,gii;foo,fii " +
 				"tls " +
 				"tls.minversion:VersionTLS11 " +
 				"tls.ciphersuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA " +
@@ -315,6 +319,10 @@ func TestEntryPoints_Set(t *testing.T) {
 							CertFile: tls.FileOrContent("goo"),
 							KeyFile:  tls.FileOrContent("gii"),
 						},
+						{
+							CertFile: tls.FileOrContent("foo"),
+							KeyFile:  tls.FileOrContent("fii"),
+						},
 					},
 					ClientCA: tls.ClientCA{
 						Files:    []string{"car"},

docs/configuration/backends/docker.md

@@ -288,12 +288,12 @@ Segment labels override the default behavior.
 
 | Label                                                                     | Description                                                 |
 |---------------------------------------------------------------------------|-------------------------------------------------------------|
+| `traefik.<segment_name>.backend=BACKEND`                                  | Same as `traefik.backend`                                   |
 | `traefik.<segment_name>.domain=DOMAIN`                                    | Same as `traefik.domain`                                    |
 | `traefik.<segment_name>.port=PORT`                                        | Same as `traefik.port`                                      |
 | `traefik.<segment_name>.protocol=http`                                    | Same as `traefik.protocol`                                  |
 | `traefik.<segment_name>.weight=10`                                        | Same as `traefik.weight`                                    |
 | `traefik.<segment_name>.frontend.auth.basic=EXPR`                         | Same as `traefik.frontend.auth.basic`                       |
-| `traefik.<segment_name>.frontend.backend=BACKEND`                         | Same as `traefik.frontend.backend`                          |
 | `traefik.<segment_name>.frontend.entryPoints=https`                       | Same as `traefik.frontend.entryPoints`                      |
 | `traefik.<segment_name>.frontend.errors.<name>.backend=NAME`              | Same as `traefik.frontend.errors.<name>.backend`            |
 | `traefik.<segment_name>.frontend.errors.<name>.query=PATH`                | Same as `traefik.frontend.errors.<name>.query`              |

docs/configuration/backends/kubernetes.md

@@ -112,7 +112,7 @@ Although traefik will connect directly to the endpoints (pods), it still checks
 If the service port defined in the ingress spec is 443, then the backend communication protocol is assumed to be TLS, and will connect via TLS automatically.
 
 !!! note
-    Please note that by enabling TLS communication between traefik and your pods, you will have to have trusted certificates that have the proper trust chain and IP subject name. 
+    Please note that by enabling TLS communication between traefik and your pods, you will have to have trusted certificates that have the proper trust chain and IP subject name.
     If this is not an option, you may need to skip TLS certificate verification.
     See the [insecureSkipVerify](/configuration/commons/#main-section) setting for more details.
 
@@ -137,7 +137,7 @@ The following general annotations are applicable on the Ingress object:
 | `traefik.ingress.kubernetes.io/redirect-replacement: http://mydomain/$1`        | Redirect to another URL for that frontend. Must be set with `traefik.ingress.kubernetes.io/redirect-regex`.                                     |
 | `traefik.ingress.kubernetes.io/rewrite-target: /users`                          | Replaces each matched Ingress path with the specified one, and adds the old path to the `X-Replaced-Path` header.                               |
 | `traefik.ingress.kubernetes.io/rule-type: PathPrefixStrip`                      | Override the default frontend rule type. Default: `PathPrefix`.                                                                                 |
-| `traefik.ingress.kubernetes.io/whitelist-source-range: "1.2.3.0/24, fe80::/16"` | A comma-separated list of IP ranges permitted for access. all source IPs are permitted if the list is empty or a single range is ill-formatted. |
+| `traefik.ingress.kubernetes.io/whitelist-source-range: "1.2.3.0/24, fe80::/16"` | A comma-separated list of IP ranges permitted for access. all source IPs are permitted if the list is empty or a single range is ill-formatted. Please note, you may have to set `service.spec.externalTrafficPolicy` to the value `Local` to preserve the source IP of the request for filtering. Please see [this link](https://kubernetes.io/docs/tutorials/services/source-ip/) for more information.|
 | `traefik.ingress.kubernetes.io/app-root: "/index.html"`                         | Redirects all requests for `/` to the defined path. (4)                                                                                         |
 
 <1> `traefik.ingress.kubernetes.io/error-pages` example:
@@ -262,4 +262,4 @@ More information are available in the  [User Guide](/user-guide/kubernetes/#add-
 
 !!! note
     Only TLS certificates provided by users can be stored in Kubernetes Secrets.
-    [Let's Encrypt](https://letsencrypt.org) certificates cannot be managed in Kubernets Secrets yet. 
+    [Let's Encrypt](https://letsencrypt.org) certificates cannot be managed in Kubernets Secrets yet.

docs/configuration/backends/marathon.md

@@ -259,13 +259,13 @@ Segment labels override the default behavior.
 
 | Label                                                                     | Description                                                 |
 |---------------------------------------------------------------------------|-------------------------------------------------------------|
+| `traefik.<segment_name>.backend=BACKEND`                                  | Same as `traefik.backend`                                   |
 | `traefik.<segment_name>.domain=DOMAIN`                                    | Same as `traefik.domain`                                    |
 | `traefik.<segment_name>.portIndex=1`                                      | Same as `traefik.portIndex`                                 |
 | `traefik.<segment_name>.port=PORT`                                        | Same as `traefik.port`                                      |
 | `traefik.<segment_name>.protocol=http`                                    | Same as `traefik.protocol`                                  |
 | `traefik.<segment_name>.weight=10`                                        | Same as `traefik.weight`                                    |
 | `traefik.<segment_name>.frontend.auth.basic=EXPR`                         | Same as `traefik.frontend.auth.basic`                       |
-| `traefik.<segment_name>.frontend.backend=BACKEND`                         | Same as `traefik.frontend.backend`                          |
 | `traefik.<segment_name>.frontend.entryPoints=https`                       | Same as `traefik.frontend.entryPoints`                      |
 | `traefik.<segment_name>.frontend.errors.<name>.backend=NAME`              | Same as `traefik.frontend.errors.<name>.backend`            |
 | `traefik.<segment_name>.frontend.errors.<name>.query=PATH`                | Same as `traefik.frontend.errors.<name>.query`              |

docs/configuration/backends/rancher.md

@@ -226,12 +226,12 @@ Segment labels override the default behavior.
 
 | Label                                                                     | Description                                                 |
 |---------------------------------------------------------------------------|-------------------------------------------------------------|
+| `traefik.<segment_name>.backend=BACKEND`                                  | Same as `traefik.backend`                                   |
 | `traefik.<segment_name>.domain=DOMAIN`                                    | Same as `traefik.domain`                                    |
 | `traefik.<segment_name>.port=PORT`                                        | Same as `traefik.port`                                      |
 | `traefik.<segment_name>.protocol=http`                                    | Same as `traefik.protocol`                                  |
 | `traefik.<segment_name>.weight=10`                                        | Same as `traefik.weight`                                    |
 | `traefik.<segment_name>.frontend.auth.basic=EXPR`                         | Same as `traefik.frontend.auth.basic`                       |
-| `traefik.<segment_name>.frontend.backend=BACKEND`                         | Same as `traefik.frontend.backend`                          |
 | `traefik.<segment_name>.frontend.entryPoints=https`                       | Same as `traefik.frontend.entryPoints`                      |
 | `traefik.<segment_name>.frontend.errors.<name>.backend=NAME`              | Same as `traefik.frontend.errors.<name>.backend`            |
 | `traefik.<segment_name>.frontend.errors.<name>.query=PATH`                | Same as `traefik.frontend.errors.<name>.query`              |

docs/configuration/entrypoints.md

@@ -106,7 +106,7 @@ traefik:
 ```ini
 Name:foo
 Address::80
-TLS:goo,gii
+TLS:/my/path/foo.cert,/my/path/foo.key;/my/path/goo.cert,/my/path/goo.key;/my/path/hoo.cert,/my/path/hoo.key
 TLS
 TLS.MinVersion:VersionTLS11
 TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384

docs/index.md

@@ -12,7 +12,7 @@
 
 Træfik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy.
 Træfik integrates with your existing infrastructure components ([Docker](https://www.docker.com/), [Swarm mode](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io), [Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Rancher](https://rancher.com), [Amazon ECS](https://aws.amazon.com/ecs), ...) and configures itself automatically and dynamically.
-Telling Træfik where your orchestrator is could be the _only_ configuration step you need to do.
+Pointing Træfik at your orchestrator should be the _only_ configuration step you need.
 
 ## Overview
 

middlewares/accesslog/logger.go

@@ -101,19 +101,25 @@ func openAccessLogFile(filePath string) (*os.File, error) {
 	return file, nil
 }
 
-// GetLogDataTable gets the request context object that contains logging data. This accretes
-// data as the request passes through the middleware chain.
+// GetLogDataTable gets the request context object that contains logging data.
+// This creates data as the request passes through the middleware chain.
 func GetLogDataTable(req *http.Request) *LogData {
-	return req.Context().Value(DataTableKey).(*LogData)
+	if ld, ok := req.Context().Value(DataTableKey).(*LogData); ok {
+		return ld
+	}
+	log.Errorf("%s is nil", DataTableKey)
+	return &LogData{Core: make(CoreLogData)}
 }
 
 func (l *LogHandler) ServeHTTP(rw http.ResponseWriter, req *http.Request, next http.HandlerFunc) {
 	now := time.Now().UTC()
-	core := make(CoreLogData)
+
+	core := CoreLogData{
+		StartUTC:   now,
+		StartLocal: now.Local(),
+	}
 
 	logDataTable := &LogData{Core: core, Request: req.Header}
-	core[StartUTC] = now
-	core[StartLocal] = now.Local()
 
 	reqWithDataTable := req.WithContext(context.WithValue(req.Context(), DataTableKey, logDataTable))
 

middlewares/accesslog/save_backend.go

@@ -43,8 +43,6 @@ func (sb *SaveBackend) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
 	table.Core[OriginContentSize] = crw.Size()
 }
 
-//-------------------------------------------------------------------------------------------------
-
 // SaveFrontend sends the frontend name to the logger. These are sometimes used with a corresponding
 // SaveBackend handler, but not always. For example, redirected requests don't reach a backend.
 type SaveFrontend struct {

middlewares/errorpages/error_pages.go

@@ -99,7 +99,8 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, req *http.Request, next http.
 			utils.CopyHeaders(pageReq.Header, req.Header)
 			utils.CopyHeaders(w.Header(), recorder.Header())
 			w.WriteHeader(recorder.GetCode())
-			h.backendHandler.ServeHTTP(w, pageReq)
+
+			h.backendHandler.ServeHTTP(w, pageReq.WithContext(req.Context()))
 			return
 		}
 	}

middlewares/tracing/forwarder.go

@@ -33,7 +33,7 @@ func (f *forwarderMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request,
 	span.SetTag("frontend.name", f.frontend)
 	span.SetTag("backend.name", f.backend)
 	ext.HTTPMethod.Set(span, r.Method)
-	ext.HTTPUrl.Set(span, r.URL.String())
+	ext.HTTPUrl.Set(span, fmt.Sprintf("%s%s", r.URL.String(), r.RequestURI))
 	span.SetTag("http.host", r.Host)
 
 	InjectRequestHeaders(r)