Traefik 1.5 — Cancoillotte Is Here!

Try to pronounce it right ;)

After 3 months of development, we are thrilled to announce the fresh new release of Traefik: 1.5, codename cancoillotte.

We merged 175 pull requests from more than 67 contributors ! Huge thanks goes to all of you who helped on this new version 😘.

The full changelog can be found here but here are some new features we want to highlight:

Let’s Encrypt HTTP Challenge

On January the 9th, a little surprise appeared on our Twitter timeline:

2018.01.09 Issue with TLS-SNI-01 and Shared Hosting Infrastructure[Update 2018-01-18: The most up-to-date summary is at IMPORTANT: What you need to know about TLS-SNI validation issues] At approximately 5 p.m. Pacific time on January 9, 2018, we received a report from Frans Rosén of Detectify outlining a method of exploiting some shared hosting infrastructures to…

And then:

2018.01.11 Update Regarding ACME TLS-SNI and Shared Hosting Infrastructure[Update 2018-01-18: The most up-to-date summary is at IMPORTANT: What you need to know about TLS-SNI validation issues] Please see this post for background information. The last 48 hours have been a busy time for Let’s Encrypt staff. We’ve been working hard to come up with a plan for ACME TLS-SNI …

TL;DR: Let’s Encrypt permanently disabled TLS-SNI-0x challenge due to a vulnerability.

And yes, Traefik was using TLS-SNI-01 challenge by default. Ouch…

Even though we were at the end of a release cycle (1.5.0-rc4 was already out), we decided to push a new release candidate in emergency to add HTTP-01 challenge support. This fix was big enough to end in the new 1.5 and not as a bug fix on 1.4 branch. Users will need to enable it with the new acme.httpChallenge section.

Stats Collection

Few months ago, we created a proposal in which we came up with the idea of collecting stats from running Traefik instances:

As you may know, the Traefik core development team is quite small and as with a lot of open source projects, we lack time and resources. As a consequence, we have to carefully choose which tasks and features need our attention. As a result, we usually invest our time on features needed or requested by most of the community. In order to efficiently do this, we have to know how our community uses Traefik.

As this is a super sensitive topic, we preferred to open a public debate, and build a transparent and trusted solution with the community. We are excited to say that we quickly reached a consensus, and Ludovic Fernandez successfully implemented a safe configuration export mechanism.

We chose to make it opt-in, which means that no data will be sent without enabling this feature. If enabled, only anonymous configuration options will be sent to a collecting server.

We really hope that all of our efforts will pay off, and that you will help us improve Traefik enabling this feature in your infrastructure:

sendAnonymousUsage = true

We invite you to read the constructive discussion that led to this new feature and the documentation to get more details. Many thanks to the community for its positive feedback!

Dynamic TLS Certificates

Nicolas Mengin did a great job at making TLS certificates management dynamic. You can now add or remove TLS certificates while Traefik is started! In addition to backends and frontends, there is now a dedicated tls section in the dynamic configuration. Let’s declare two new certificates using the file provider, you can now add a new tls section in your TOML:

[frontends]
...
[backends]
...
# HTTPS certificates
[[tls]]
  entryPoints = ["https"]
  [tls.certificate]
    certFile = "path/to/my.cert"
    keyFile = "path/to/my.key"
[[tls]]
  entryPoints = ["https"]
  [tls.certificate]
  certFile = "path/to/my/other.cert"
  keyFile = "path/to/my/other.key"

Each change of this file will make Traefik reload its TLS certificates. You can also split your configuration into multiple files if you prefer.

Rate Limiting

We received a wonderful gift from Ben Parli who added rate limiting by frontend. You can even add multiple sets of rates to each frontend. Here is an example taken from the documentation:

[frontends]
    [frontends.frontend1]
    entrypoints = ["http"]
    backend = "backend1"
        [frontends.frontend1.routes.test_1]
        rule = "Path:/"
    [frontends.frontend1.ratelimit]
    extractorfunc = "client.ip"
        [frontends.frontend1.ratelimit.rateset.rateset1]
        period = "10s"
        average = 100
        burst = 200
        [frontends.frontend1.ratelimit.rateset.rateset2]
        period = "3s"
        average = 5
        burst = 10
In the above example, frontend1 is configured to limit requests by the client’s ip address. An average of 5 requests every 3 seconds is allowed and an average of 100 requests every 10 seconds. These can “burst” up to 10 and 200 in each period respectively.

Azure Service Fabric Support

Lawrence Gripper and Joni Collinge from Microsoft made a great contribution (with the help of Ludovic Fernandez) adding Azure Service Fabric support to Traefik.

Azure Service Fabric is a distributed systems platform that makes it easy to package, deploy, and manage scalable and reliable microservices and containers.

This new provider uses labels to configure how services are exposed through Traefik using the services ServiceManifest.xml file.

Have a look at the documentation, we will give more update on this soon!

In A Nutshell

Daniel Tomcej added Kubernetes annotations and Docker labels for security headers, Nicolas Mengin added support to etcd v3, our great Manuel Zapf implemented the redirection to another entryPoint per frontend. Thanks to Aditya C S, Traefik can now export its metrics to InfluxDB. Michael Matur and Ludovic Fernandez did a great job adding multi-versioning to our documentation (from https://docs.traefik.io/v1.0 to http://docs.traefik.io/v1.5). Julien Salleyron refactored the web provider into API/Dashboard, ping, metric and Rest Provider.

But that’s not all, check the whole changelog to get an idea of the awesome work that has been done on this release. Lots of bugs have been fixed and we also have been working on background refactoring tasks that will help us improving Traefik in future releases.

Grab the latest binary for Linux, Windows, Mac on Github or get the official Docker image!

docker pull traefik:v1.5.0 (or 1.5.0, v1.5, 1.5, cancoillotte)
docker pull traefik:v1.5.0-alpine (or 1.5.0-alpine, v1.5-alpine, 1.5-alpine, cancoillotte-alpine)

The versioned documentation can be found on https://docs.traefik.io.

We are hiring developers and evangelists, try to solve our puzzle: containo.us/#jobs !

Traefik is still growing fast, we just passed 12k stars on Github and 42M downloads!

We would love to hear your feedback on this new release. Join us on GitHub, Twitter or on the Community Forum!


This is a companion discussion topic for the original entry at https://containo.us/blog/traefik-1-5-cancoillotte-is-here-7bd6713ae135/