Traefik 1.7 — Yet Another Slice of Awesomeness
Releases keep rolling! After three months of development and five release candidates, we are proud to announce the release of Traefik 1.7, codename “maroilles”.
We’ve merged more pull requests than ever from our ever-growing community of contributors that has reached more than 300 individuals. Thanks go to every one of you; we are in awe before your enthusiasm at improving Traefik.
The full changelog is available here, but we wanted to highlight our favorite features.
Let’s Encrypt & The New TLS Challenge in Town
Let’s Encrypt integration is one of the most praised features of Traefik, so when Let’s Encrypt faced the TLS-SNI-01 challenge incident, some of our users were left with few (yet satisfactory) alternatives. But when they introduced the TLS ALPN Challenge, Ludovic Fernandez was pleased to make it available right away so the community could once again pick a TLS based challenge.
[acme]
# …
entryPoint = "https"
[acme.tlsChallenge] #enables the TLS ALPN Challenge
One of the advantage of TLS based challenges? They only require port 443 to be open.
A Docker Image for Windows
Because we didn’t want to let down our Windows user base, Traefik now has its official Windows Docker image!
That’s correct: no more tinkering with custom builds, you’ll get your Traefik instance right out of the box on your Windows Server infrastructure.
For compatibility reasons, our image is currently based on Windows nanoserver-sac2016
, but rest assured that more recent nano server images are on their way.
Our thanks go to Stefan Scherer who harnessed his expertise to make this happen, and to Damien Duportal who fearlessly dove into the subject.
H2C Support
Julien Salleyron would explain it better than I do, but basically, H2C is a way to do HTTP2 without certificates.
Wait … why is that useful?
Well, when you have lots of gRPC services on your infrastructure (that by default use TLS), not having to handle a certificate for each service is a simplification you will probably welcome.
This is why Traefik now supports incoming H2C requests, either by upgrading HTTP1 connections or dealing with “Prior Knowledge” requests.
You can also tell Traefik that your backend servers support H2C (using the traefik.protocol=h2c
label or the relevant option for your provider), in which case Traefik will send HTTP2 requests (with prior knowledge) to them.
To make things even better, Traefik accepts both H2C requests and HTTP1 requests on the same entrypoint (port). No need to separate your workload.
AWS Fargate
Released worldwide earlier this year, Amazon has deployed AWS Fargate — a compute engine for Amazon ECS that allows you to run containers without having to manage servers or clusters.
As always, you can count on Traefik to support your favorite cluster technology! In case you decide to run mixed clusters with EC2 and Fargate components, Traefik will seamlessly detect them and work with them with no additional efforts on your part (since Michael Matur already did the job).
Auth in Frontends
You can now configure authentication on the frontend layer, which provides fine-grain control on what needs to be secured.
Thanks go to Zatte who provided the feature for the Kubernetes provider (and the idea itself).
Excerpts from the documentation for the file provider:
[frontends.myfrontend.auth]
headerField = "X-WebAuth-User"
[frontends.myfrontend.auth.basic]
users = [ "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",]
You can also check the new authentication options available for the K8S Ingress provider to get a better idea of what’s possible.
Security
Traefik has become a critical component for many, and we want Traefik to be safe for everyone. To help us ensure that, even though these actions are not “per se” new features, we have created a new security mailing list (security+subscribe@traefik.io) you can subscribe to. We will use this mailing list in case there is a security issue that requires your attention.
Another significant step toward making Traefik as safe as possible is the new form you can use to report a vulnerability you might discover. By using this form, you will alert us first and give us the opportunity to fix a potential problem before it impacts others in a negative way.
We really appreciate your help on this sensitive topic.
And Much, Much More …
Daniel Tomcej improved the TLS handshake, Andrew Stucki added constraints support on ECS and allowed the binding of ECS container port, Michael Arenzon added support for stale reads from Consul catalog, Ondrej Flidr tweaked the health check to add support for 3xx codes, Jesse Haka added HTTP headers to the healthcheck, Kim Min made it possible to specify backend servers’ weight in Kubernetes, Ryarnya enabled an async option to improve log performances, Rodrigo Díez (for his first PR!) added a duration filter for the logs, Timo Reimann added support for multi-port services in K8s, and the list goes on.
Once again, we improved many things behind the curtain and kept working to make Traefik better for everyone. You can check the whole changelog to catch a glimpse of the awesome work that has been done on this release.
Before You Go: The Future Has Begun!
Even if the spoiler season has not yet begun, some of our dedicated contributors have noticed — things are brewing in the master branch, things we’ve been willing to do for a long time, things that have been postponed until now and that we’re excited to work on.
Yes, for now I agree that this cryptic message won’t help you find out what’s coming next, but we’re sure that you’ve already guessed that the next version will be huge.
We’ve decided to unlock all the constraints we had with the stable branch and to work on features we couldn’t easily implement because of the current architecture (and because of compatibility reasons). Our goal with the next version is to set everything up so we can welcome an endless panel of new features, so we can provide greater flexibility to our users (yes, you’ll soon be able to go even further when defining your routes).
To this day, we’ve only updated the code base to get rid of the deprecated elements, but we’ll soon need to introduce breaking changes to test our ideas. What matters here is that we want to share our vision with you so we can hear your feedback. These changes will not be final choices; they will be proposals put to the trial of the community — features matter only if they match your needs.
What does that mean?
It means that the master branch will drift apart from the current stable branch to become the future branch. However, until the future is now, it will remain in constant evolution and prone to change with little notice.
This is the reason why we encourage our users and contributors to not use the master branch for their production system. This is also the reason why, in the meantime, we’ll be pickier with features introduced in the current branch and often redirect you to the master branch: so you can also be involved in the big next.
Traefik is an open source project at its core, and we want to keep it this way — thank you for being part of its success!
Grab the latest binaries for Linux, Windows, and Mac on Github or get the official Docker image!
docker pull traefik:v1.7.0 (or 1.7.0, v1.7, 1.7, maroilles)
docker pull traefik:v1.7.0-alpine (or 1.7.0-alpine, v1.7-alpine, 1.7-alpine, maroilles-alpine)
docker pull traefik:1.7-nanoserver
The versioned documentation can be found on https://docs.traefik.io.
By the way, if you want to join an incredible team so you can express your every talent: We are hiring! Check our available positions!
Traefik adoption rate is astounding! We’ve reached 17k+ stars on Github and 200M+ downloads!