diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 10570f2bfd..084ec0ba8c 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -3,11 +3,11 @@ PLEASE READ THIS MESSAGE. Documentation fixes or enhancements: - for Traefik v2: use branch v2.11 -- for Traefik v3: use branch v3.2 +- for Traefik v3: use branch v3.3 Bug fixes: - for Traefik v2: use branch v2.11 -- for Traefik v3: use branch v3.2 +- for Traefik v3: use branch v3.3 Enhancements: - for Traefik v2: we only accept bug fixes diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 9f863a4263..14a7e4633b 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -15,11 +15,11 @@ env: jobs: build-webui: - if: github.ref_type == 'tag' + if: github.ref_type == 'tag' && github.repository == 'traefik/traefik' uses: ./.github/workflows/template-webui.yaml build: - if: github.ref_type == 'tag' + if: github.ref_type == 'tag' && github.repository == 'traefik/traefik' runs-on: ubuntu-latest strategy: @@ -80,7 +80,7 @@ jobs: retention-days: 1 release: - if: github.ref_type == 'tag' + if: github.ref_type == 'tag' && github.repository == 'traefik/traefik' runs-on: ubuntu-latest needs: diff --git a/CHANGELOG.md b/CHANGELOG.md index 4f3684040e..d522235e0d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,89 @@ +## [v3.3.1](/~https://github.com/traefik/traefik/tree/v3.3.1) (2025-01-07) +[All Commits](/~https://github.com/traefik/traefik/compare/v3.3.0...v3.3.1) + +**Bug fixes:** +- **[websocket,server]** Disable http2 connect setting for websocket by default ([#11408](/~https://github.com/traefik/traefik/pull/11408) by [rtribotte](/~https://github.com/rtribotte)) + +## [v3.2.5](/~https://github.com/traefik/traefik/tree/v3.2.5) (2025-01-07) +[All Commits](/~https://github.com/traefik/traefik/compare/v3.2.4...v3.2.5) + +**Bug fixes:** +- **[websocket,server]** Disable http2 connect setting for websocket by default ([#11408](/~https://github.com/traefik/traefik/pull/11408) by [rtribotte](/~https://github.com/rtribotte)) + +## [v2.11.18](/~https://github.com/traefik/traefik/tree/v2.11.18) (2025-01-07) +[All Commits](/~https://github.com/traefik/traefik/compare/v2.11.17...v2.11.18) + +**Bug fixes:** +- **[websocket,server]** Disable http2 connect setting for websocket by default ([#11412](/~https://github.com/traefik/traefik/pull/11412) by [rtribotte](/~https://github.com/rtribotte)) + +## [v3.3.0](/~https://github.com/traefik/traefik/tree/v3.3.0) (2025-01-06) +[All Commits](/~https://github.com/traefik/traefik/compare/v3.2.0-rc1...v3.3.0) + +**Enhancements:** +- **[acme]** Add options to control ACME propagation checks ([#11241](/~https://github.com/traefik/traefik/pull/11241) by [ldez](/~https://github.com/ldez)) +- **[api]** Add support dump API endpoint ([#11328](/~https://github.com/traefik/traefik/pull/11328) by [mmatur](/~https://github.com/mmatur)) +- **[http]** Set Host header in HTTP provider request ([#11237](/~https://github.com/traefik/traefik/pull/11237) by [nikonhub](/~https://github.com/nikonhub)) +- **[k8s/crd,k8s]** Make the IngressRoute kind optional ([#11177](/~https://github.com/traefik/traefik/pull/11177) by [skirtan1](/~https://github.com/skirtan1)) +- **[k8s/ingress,sticky-session,k8s/crd,k8s]** Support serving endpoints ([#11121](/~https://github.com/traefik/traefik/pull/11121) by [BZValoche](/~https://github.com/BZValoche)) +- **[logs,accesslogs]** OpenTelemetry Logs and Access Logs ([#11319](/~https://github.com/traefik/traefik/pull/11319) by [rtribotte](/~https://github.com/rtribotte)) +- **[logs,accesslogs]** Add experimental flag for OTLP logs integration ([#11335](/~https://github.com/traefik/traefik/pull/11335) by [kevinpollet](/~https://github.com/kevinpollet)) +- **[metrics,tracing,accesslogs]** Manage observability at entrypoint and router level ([#11308](/~https://github.com/traefik/traefik/pull/11308) by [rtribotte](/~https://github.com/rtribotte)) +- **[middleware,authentication]** Add an option to preserve the ForwardAuth Server Location header ([#11318](/~https://github.com/traefik/traefik/pull/11318) by [Nelwhix](/~https://github.com/Nelwhix)) +- **[middleware,authentication]** Only calculate basic auth hashes once for concurrent requests ([#11143](/~https://github.com/traefik/traefik/pull/11143) by [michelheusschen](/~https://github.com/michelheusschen)) +- **[middleware,authentication]** Send request body to authorization server for forward auth ([#11097](/~https://github.com/traefik/traefik/pull/11097) by [kyo-ke](/~https://github.com/kyo-ke)) +- **[plugins]** Add AbortOnPluginFailure option to abort startup on plugin load failure ([#11228](/~https://github.com/traefik/traefik/pull/11228) by [bmagic](/~https://github.com/bmagic)) +- **[sticky-session]** Configurable path for sticky cookies ([#11166](/~https://github.com/traefik/traefik/pull/11166) by [IIpragmaII](/~https://github.com/IIpragmaII)) +- **[webui,api]** Configurable API & Dashboard base path ([#11250](/~https://github.com/traefik/traefik/pull/11250) by [rtribotte](/~https://github.com/rtribotte)) + +**Bug fixes:** +- **[k8s/ingress,k8s/crd]** Fix fenced server status computation ([#11361](/~https://github.com/traefik/traefik/pull/11361) by [kevinpollet](/~https://github.com/kevinpollet)) + +**Documentation:** +- Prepare release v3.3.0-rc2 ([#11362](/~https://github.com/traefik/traefik/pull/11362) by [rtribotte](/~https://github.com/rtribotte)) +- Prepare Release v3.3.0-rc1 ([#11349](/~https://github.com/traefik/traefik/pull/11349) by [rtribotte](/~https://github.com/rtribotte)) + +**Misc:** +- Merge branch v3.2 into v3.3 ([#11402](/~https://github.com/traefik/traefik/pull/11402) by [kevinpollet](/~https://github.com/kevinpollet)) +- Merge branch v3.2 into v3.3 ([#11393](/~https://github.com/traefik/traefik/pull/11393) by [mmatur](/~https://github.com/mmatur)) +- Merge branch v3.2 into v3.3 ([#11389](/~https://github.com/traefik/traefik/pull/11389) by [mmatur](/~https://github.com/mmatur)) +- Merge branch v3.2 into v3.3 ([#11367](/~https://github.com/traefik/traefik/pull/11367) by [kevinpollet](/~https://github.com/kevinpollet)) +- Merge branch v3.2 into master ([#11340](/~https://github.com/traefik/traefik/pull/11340) by [kevinpollet](/~https://github.com/kevinpollet)) +- Merge branch v3.2 into master ([#11293](/~https://github.com/traefik/traefik/pull/11293) by [kevinpollet](/~https://github.com/kevinpollet)) +- Merge branch v3.2 into master ([#11239](/~https://github.com/traefik/traefik/pull/11239) by [kevinpollet](/~https://github.com/kevinpollet)) +- Merge branch v3.2 into master ([#11187](/~https://github.com/traefik/traefik/pull/11187) by [kevinpollet](/~https://github.com/kevinpollet)) + +## [v3.2.4](/~https://github.com/traefik/traefik/tree/v3.2.4) (2025-01-06) +[All Commits](/~https://github.com/traefik/traefik/compare/v3.2.3...v3.2.4) + +**Bug fixes:** +- **[k8s/gatewayapi]** Support empty value for core Kubernetes API group ([#11386](/~https://github.com/traefik/traefik/pull/11386) by [rtribotte](/~https://github.com/rtribotte)) +- **[tcp,k8s/crd]** Pass TLS bool from IngressRouteTCP to TCPService ([#11343](/~https://github.com/traefik/traefik/pull/11343) by [lipmem](/~https://github.com/lipmem)) +- **[tls]** Upgrade github.com/spiffe/go-spiffe/v2 to v2.4.0 ([#11385](/~https://github.com/traefik/traefik/pull/11385) by [mmatur](/~https://github.com/mmatur)) +- Remove duplicate github.com/coreos/go-systemd dependency ([#11354](/~https://github.com/traefik/traefik/pull/11354) by [Juneezee](/~https://github.com/Juneezee)) + +**Documentation:** +- **[k8s/gatewayapi]** Update Gateway API version support to v1.2.1 ([#11357](/~https://github.com/traefik/traefik/pull/11357) by [kevinpollet](/~https://github.com/kevinpollet)) +- Add @jnoordsij to maintainers ([#11352](/~https://github.com/traefik/traefik/pull/11352) by [emilevauge](/~https://github.com/emilevauge)) + +**Misc:** +- Merge branch v2.11 into v3.2 ([#11400](/~https://github.com/traefik/traefik/pull/11400) by [kevinpollet](/~https://github.com/kevinpollet)) +- Merge branch v2.11 into v3.2 ([#11392](/~https://github.com/traefik/traefik/pull/11392) by [rtribotte](/~https://github.com/rtribotte)) +- Merge branch v2.11 into v3.2 ([#11388](/~https://github.com/traefik/traefik/pull/11388) by [mmatur](/~https://github.com/mmatur)) +- Merge branch v2.11 into v3.2 ([#11366](/~https://github.com/traefik/traefik/pull/11366) by [kevinpollet](/~https://github.com/kevinpollet)) + +## [v2.11.17](/~https://github.com/traefik/traefik/tree/v2.11.17) (2025-01-06) +[All Commits](/~https://github.com/traefik/traefik/compare/v2.11.16...v2.11.17) + +**Bug fixes:** +- **[acme]** Update go-acme/lego to v4.21.0 ([#11368](/~https://github.com/traefik/traefik/pull/11368) by [ldez](/~https://github.com/ldez)) +- **[middleware]** Fix typo in basicauth note ([#11397](/~https://github.com/traefik/traefik/pull/11397) by [tieje](/~https://github.com/tieje)) +- **[service]** Configure ErrorLog in httputil.ReverseProxy ([#11344](/~https://github.com/traefik/traefik/pull/11344) by [peacewalker122](/~https://github.com/peacewalker122)) +- Bump golang.org/x/net to v0.33.0 ([#11365](/~https://github.com/traefik/traefik/pull/11365) by [kevinpollet](/~https://github.com/kevinpollet)) + +**Documentation:** +- **[acme]** Fix allowACMEByPass TOML example ([#11370](/~https://github.com/traefik/traefik/pull/11370) by [hannesbraun](/~https://github.com/hannesbraun)) +- **[k8s/crd]** Update copyright for 2025 ([#11383](/~https://github.com/traefik/traefik/pull/11383) by [kevinpollet](/~https://github.com/kevinpollet)) + ## [v3.3.0-rc2](/~https://github.com/traefik/traefik/tree/v3.3.0-rc2) (2024-12-20) [All Commits](/~https://github.com/traefik/traefik/compare/v3.3.0-rc1...v3.3.0-rc2) diff --git a/cmd/traefik/traefik.go b/cmd/traefik/traefik.go index 4caa279e97..02821d7ed2 100644 --- a/cmd/traefik/traefik.go +++ b/cmd/traefik/traefik.go @@ -26,6 +26,7 @@ import ( "github.com/traefik/traefik/v3/cmd" "github.com/traefik/traefik/v3/cmd/healthcheck" cmdVersion "github.com/traefik/traefik/v3/cmd/version" + _ "github.com/traefik/traefik/v3/init" tcli "github.com/traefik/traefik/v3/pkg/cli" "github.com/traefik/traefik/v3/pkg/collector" "github.com/traefik/traefik/v3/pkg/config/dynamic" diff --git a/docs/content/deprecation/releases.md b/docs/content/deprecation/releases.md index 001b161db0..d3fb7914bb 100644 --- a/docs/content/deprecation/releases.md +++ b/docs/content/deprecation/releases.md @@ -6,7 +6,8 @@ Below is a non-exhaustive list of versions and their maintenance status: | Version | Release Date | Community Support | |---------|--------------|--------------------| -| 3.2 | Oct 28, 2024 | Yes | +| 3.3 | Jan 06, 2025 | Yes | +| 3.2 | Oct 28, 2024 | Ended Jan 06, 2025 | | 3.1 | Jul 15, 2024 | Ended Oct 28, 2024 | | 3.0 | Apr 29, 2024 | Ended Jul 15, 2024 | | 2.11 | Feb 12, 2024 | Ends Apr 29, 2025 | diff --git a/docs/content/middlewares/http/basicauth.md b/docs/content/middlewares/http/basicauth.md index 68c341a392..5faaa1e3eb 100644 --- a/docs/content/middlewares/http/basicauth.md +++ b/docs/content/middlewares/http/basicauth.md @@ -21,7 +21,7 @@ The BasicAuth middleware grants access to services to authorized users only. # To create user:password pair, it's possible to use this command: # echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g # -# Also note that dollar signs should NOT be doubled when they not evaluated (e.g. Ansible docker_container module). +# Also note that dollar signs should NOT be doubled when they are not being evaluated (e.g. Ansible docker_container module). labels: - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0" ``` diff --git a/docs/content/migration/v3.md b/docs/content/migration/v3.md index 966a1dce7a..10ed8c3145 100644 --- a/docs/content/migration/v3.md +++ b/docs/content/migration/v3.md @@ -173,7 +173,7 @@ please use the `traefik.swarm.network` and `traefik.swarm.lbswarm` labels instea ### ACME DNS Certificate Resolver In `v3.3`, the `acme.dnsChallenge.delaybeforecheck` and `acme.dnsChallenge.disablepropagationcheck` options of the ACME certificate resolver are deprecated, -please use respectively `acme.dnsChallenge.propagation.delayBeforeCheck` and `acme.dnsChallenge.propagation.disableAllChecks` options instead. +please use respectively `acme.dnsChallenge.propagation.delayBeforeChecks` and `acme.dnsChallenge.propagation.disableAllChecks` options instead. ### Tracing Global Attributes diff --git a/init/init.go b/init/init.go new file mode 100644 index 0000000000..e54655d0f0 --- /dev/null +++ b/init/init.go @@ -0,0 +1,21 @@ +package init + +import ( + "os" + "strings" +) + +// This makes use of the GODEBUG flag `http2xconnect` to deactivate the connect setting for HTTP2 by default. +// This type of upgrade is yet incompatible with `net/http` http1 reverse proxy. +// Please see /~https://github.com/golang/go/issues/71128#issuecomment-2574193636. +func init() { + goDebug := os.Getenv("GODEBUG") + if strings.Contains(goDebug, "http2xconnect") { + return + } + + if len(goDebug) > 0 { + goDebug += "," + } + os.Setenv("GODEBUG", goDebug+"http2xconnect=0") +} diff --git a/integration/websocket_test.go b/integration/websocket_test.go index 508bb95736..00cfb7e103 100644 --- a/integration/websocket_test.go +++ b/integration/websocket_test.go @@ -16,6 +16,7 @@ import ( "github.com/stretchr/testify/require" "github.com/stretchr/testify/suite" "github.com/traefik/traefik/v3/integration/try" + "golang.org/x/net/http2" "golang.org/x/net/websocket" ) @@ -451,6 +452,44 @@ func (s *WebsocketSuite) TestSSLhttp2() { assert.Equal(s.T(), "OK", string(msg)) } +func (s *WebsocketSuite) TestSettingEnableConnectProtocol() { + file := s.adaptFile("fixtures/websocket/config_https.toml", struct { + WebsocketServer string + }{ + WebsocketServer: "http://127.0.0.1", + }) + + s.traefikCmd(withConfigFile(file), "--log.level=DEBUG", "--accesslog") + + // Wait for traefik. + err := try.GetRequest("http://127.0.0.1:8080/api/rawdata", 10*time.Second, try.BodyContains("127.0.0.1")) + require.NoError(s.T(), err) + + // Add client self-signed cert. + roots := x509.NewCertPool() + certContent, err := os.ReadFile("./resources/tls/local.cert") + require.NoError(s.T(), err) + + roots.AppendCertsFromPEM(certContent) + + // Open a connection to inspect SettingsFrame. + conn, err := tls.Dial("tcp", "127.0.0.1:8000", &tls.Config{ + RootCAs: roots, + NextProtos: []string{"h2"}, + }) + require.NoError(s.T(), err) + + framer := http2.NewFramer(nil, conn) + frame, err := framer.ReadFrame() + require.NoError(s.T(), err) + + fr, ok := frame.(*http2.SettingsFrame) + require.True(s.T(), ok) + + _, ok = fr.Value(http2.SettingEnableConnectProtocol) + assert.False(s.T(), ok) +} + func (s *WebsocketSuite) TestHeaderAreForwarded() { upgrader := gorillawebsocket.Upgrader{} // use default options diff --git a/pkg/config/static/static_config.go b/pkg/config/static/static_config.go index c254711dfc..de0fa51cc6 100644 --- a/pkg/config/static/static_config.go +++ b/pkg/config/static/static_config.go @@ -331,7 +331,7 @@ func (c *Configuration) SetEffectiveConfiguration() { } if resolver.ACME.DNSChallenge.DelayBeforeCheck > 0 { - log.Warn().Msgf("delayBeforeCheck is now deprecated, please use propagation.delayBeforeCheck instead.") + log.Warn().Msgf("delayBeforeCheck is now deprecated, please use propagation.delayBeforeChecks instead.") if resolver.ACME.DNSChallenge.Propagation == nil { resolver.ACME.DNSChallenge.Propagation = &acmeprovider.Propagation{} diff --git a/pkg/provider/acme/provider.go b/pkg/provider/acme/provider.go index 48ce9d4a3d..96795c5eda 100644 --- a/pkg/provider/acme/provider.go +++ b/pkg/provider/acme/provider.go @@ -89,7 +89,7 @@ type DNSChallenge struct { Resolvers []string `description:"Use following DNS servers to resolve the FQDN authority." json:"resolvers,omitempty" toml:"resolvers,omitempty" yaml:"resolvers,omitempty"` Propagation *Propagation `description:"DNS propagation checks configuration" json:"propagation,omitempty" toml:"propagation,omitempty" yaml:"propagation,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"` - // Deprecated: please use Propagation.DelayBeforeCheck instead. + // Deprecated: please use Propagation.DelayBeforeChecks instead. DelayBeforeCheck ptypes.Duration `description:"(Deprecated) Assume DNS propagates after a delay in seconds rather than finding and querying nameservers." json:"delayBeforeCheck,omitempty" toml:"delayBeforeCheck,omitempty" yaml:"delayBeforeCheck,omitempty" export:"true"` // Deprecated: please use Propagation.DisableAllChecks instead. DisablePropagationCheck bool `description:"(Deprecated) Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended]" json:"disablePropagationCheck,omitempty" toml:"disablePropagationCheck,omitempty" yaml:"disablePropagationCheck,omitempty" export:"true"` diff --git a/script/gcg/traefik-bugfix.toml b/script/gcg/traefik-bugfix.toml index a3fe0e158b..af780d4a2c 100644 --- a/script/gcg/traefik-bugfix.toml +++ b/script/gcg/traefik-bugfix.toml @@ -4,11 +4,11 @@ RepositoryName = "traefik" OutputType = "file" FileName = "traefik_changelog.md" -# example new bugfix v3.2.3 -CurrentRef = "v3.2" -PreviousRef = "v3.2.2" -BaseBranch = "v3.2" -FutureCurrentRefName = "v3.2.3" +# example new bugfix v3.3.1 +CurrentRef = "v3.3" +PreviousRef = "v3.3.0" +BaseBranch = "v3.3" +FutureCurrentRefName = "v3.3.1" ThresholdPreviousRef = 10 ThresholdCurrentRef = 10 diff --git a/script/gcg/traefik-final-release-part1.toml b/script/gcg/traefik-final-release-part1.toml index 8b2375d765..f8313d1ca9 100644 --- a/script/gcg/traefik-final-release-part1.toml +++ b/script/gcg/traefik-final-release-part1.toml @@ -4,11 +4,11 @@ RepositoryName = "traefik" OutputType = "file" FileName = "traefik_changelog.md" -# example final release of v3.2.0 -CurrentRef = "v3.2" -PreviousRef = "v3.2.0-rc1" -BaseBranch = "v3.2" -FutureCurrentRefName = "v3.2.0" +# example final release of v3.3.0 +CurrentRef = "v3.3" +PreviousRef = "v3.3.0-rc1" +BaseBranch = "v3.3" +FutureCurrentRefName = "v3.3.0" ThresholdPreviousRef = 10 ThresholdCurrentRef = 10 diff --git a/script/gcg/traefik-final-release-part2.toml b/script/gcg/traefik-final-release-part2.toml index 81f571eef4..72fbfdcb5d 100644 --- a/script/gcg/traefik-final-release-part2.toml +++ b/script/gcg/traefik-final-release-part2.toml @@ -4,11 +4,11 @@ RepositoryName = "traefik" OutputType = "file" FileName = "traefik_changelog.md" -# example final release of v3.2.0 -CurrentRef = "v3.2.0-rc1" -PreviousRef = "v3.1.0-rc1" +# example final release of v3.3.0 +CurrentRef = "v3.3.0-rc1" +PreviousRef = "v3.2.0-rc1" BaseBranch = "master" -FutureCurrentRefName = "v3.2.0-rc1" +FutureCurrentRefName = "v3.3.0" ThresholdPreviousRef = 10 ThresholdCurrentRef = 10