diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..a9db8cf --- /dev/null +++ b/Dockerfile @@ -0,0 +1,8 @@ +ARG TRAEFIK_VERSION=v3.0.0 +ARG BASE_IMAGE=docker.io/traefik:${TRAEFIK_VERSION} +FROM ${BASE_IMAGE} + +COPY testconfig/traefik.yml /etc/traefik/traefik.yml +COPY testconfig/dynamic.yml /etc/traefik/dynamic.yml + +COPY . plugins-local/src/github.com/RiskIdent/traefik-tls-headers-plugin diff --git a/Makefile b/Makefile index 04f6f05..d1c5818 100644 --- a/Makefile +++ b/Makefile @@ -17,4 +17,15 @@ vendor: go mod vendor clean: - rm -rf ./vendor \ No newline at end of file + rm -rf ./vendor + +start_headers_reader: + python3 testconfig/printheaders.py + +testcontainer: + docker build -t traefiktest . + docker run\ + --rm \ + --name traefiktest \ + --network host \ + -it traefiktest diff --git a/readme.md b/readme.md index 353f34d..38e2d34 100644 --- a/readme.md +++ b/readme.md @@ -1,270 +1,105 @@ -This repository includes an example plugin, `demo`, for you to use as a reference for developing your own plugins. +# Traefik TLS headers plugin -[![Build Status](https://github.com/traefik/plugindemo/workflows/Main/badge.svg?branch=master)](https://github.com/traefik/plugindemo/actions) - -The existing plugins can be browsed into the [Plugin Catalog](https://plugins.traefik.io). - -# Developing a Traefik plugin - -[Traefik](https://traefik.io) plugins are developed using the [Go language](https://golang.org). - -A [Traefik](https://traefik.io) middleware plugin is just a [Go package](https://golang.org/ref/spec#Packages) that provides an `http.Handler` to perform specific processing of requests and responses. - -Rather than being pre-compiled and linked, however, plugins are executed on the fly by [Yaegi](https://github.com/traefik/yaegi), an embedded Go interpreter. +[![Main workflow](https://github.com/RiskIdent/traefik-tls-headers-plugin/actions/workflows/main.yml/badge.svg)](https://github.com/RiskIdent/traefik-tls-headers-plugin/actions/workflows/main.yml) +[![Go matrix workflow](https://github.com/RiskIdent/traefik-tls-headers-plugin/actions/workflows/go-cross.yml/badge.svg)](https://github.com/RiskIdent/traefik-tls-headers-plugin/actions/workflows/go-cross.yml) ## Usage -For a plugin to be active for a given Traefik instance, it must be declared in the static configuration. - -Plugins are parsed and loaded exclusively during startup, which allows Traefik to check the integrity of the code and catch errors early on. -If an error occurs during loading, the plugin is disabled. - -For security reasons, it is not possible to start a new plugin or modify an existing one while Traefik is running. - -Once loaded, middleware plugins behave exactly like statically compiled middlewares. -Their instantiation and behavior are driven by the dynamic configuration. +This plugin will take TLS information from the client connection and write them to some headers. -Plugin dependencies must be [vendored](https://golang.org/ref/mod#vendoring) for each plugin. -Vendored packages should be included in the plugin's GitHub repository. ([Go modules](https://blog.golang.org/using-go-modules) are not supported.) +```yaml +middlewares: + my-middleware: + plugin: + tlsheaders: + headers: + cipher: X-TLS-Cipher +``` ### Configuration -For each plugin, the Traefik static configuration must define the module name (as is usual for Go packages). +Traefik static configuration must define the module name (as is usual for Go packages). The following declaration (given here in YAML) defines a plugin: +
File (YAML) + ```yaml # Static configuration experimental: plugins: - example: - moduleName: github.com/traefik/plugindemo - version: v0.2.1 -``` - -Here is an example of a file provider dynamic configuration (given here in YAML), where the interesting part is the `http.middlewares` section: - -```yaml -# Dynamic configuration - -http: - routers: - my-router: - rule: host(`demo.localhost`) - service: service-foo - entryPoints: - - web - middlewares: - - my-plugin - - services: - service-foo: - loadBalancer: - servers: - - url: http://127.0.0.1:5000 - - middlewares: - my-plugin: - plugin: - example: - headers: - Foo: Bar + tlsheaders: + moduleName: github.com/RiskIdent/traefik-tls-headers-plugin + version: v0.1.0 ``` -### Local Mode +
-Traefik also offers a developer mode that can be used for temporary testing of plugins not hosted on GitHub. -To use a plugin in local mode, the Traefik static configuration must define the module name (as is usual for Go packages) and a path to a [Go workspace](https://golang.org/doc/gopath_code.html#Workspaces), which can be the local GOPATH or any directory. +
CLI -The plugins must be placed in `./plugins-local` directory, -which should be in the working directory of the process running the Traefik binary. -The source code of the plugin should be organized as follows: +```bash +# Static configuration -``` -./plugins-local/ - └── src - └── github.com - └── traefik - └── plugindemo - ├── demo.go - ├── demo_test.go - ├── go.mod - ├── LICENSE - ├── Makefile - └── readme.md +--experimental.plugins.tlsheaders.moduleName=github.com/RiskIdent/traefik-tls-headers-plugin +--experimental.plugins.tlsheaders.version=v0.1.0 ``` -```yaml -# Static configuration +
-experimental: - localPlugins: - example: - moduleName: github.com/traefik/plugindemo -``` -(In the above example, the `plugindemo` plugin will be loaded from the path `./plugins-local/src/github.com/traefik/plugindemo`.) +
Kubernetes ```yaml # Dynamic configuration -http: - routers: - my-router: - rule: host(`demo.localhost`) - service: service-foo - entryPoints: - - web - middlewares: - - my-plugin - - services: - service-foo: - loadBalancer: - servers: - - url: http://127.0.0.1:5000 - - middlewares: - my-plugin: - plugin: - example: - headers: - Foo: Bar +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: my-middleware +spec: + plugin: + tlsheaders: + headers: + cipher: X-TLS-Cipher ``` -## Defining a Plugin - -A plugin package must define the following exported Go objects: - -- A type `type Config struct { ... }`. The struct fields are arbitrary. -- A function `func CreateConfig() *Config`. -- A function `func New(ctx context.Context, next http.Handler, config *Config, name string) (http.Handler, error)`. - -```go -// Package example a example plugin. -package example - -import ( - "context" - "net/http" -) - -// Config the plugin configuration. -type Config struct { - // ... -} +
-// CreateConfig creates the default plugin configuration. -func CreateConfig() *Config { - return &Config{ - // ... - } -} +### Test locally -// Example a plugin. -type Example struct { - next http.Handler - name string - // ... -} +In order to test the plugin locally, start the printheaders application: -// New created a new plugin. -func New(ctx context.Context, next http.Handler, config *Config, name string) (http.Handler, error) { - // ... - return &Example{ - // ... - }, nil -} - -func (e *Example) ServeHTTP(rw http.ResponseWriter, req *http.Request) { - // ... - e.next.ServeHTTP(rw, req) -} +```bash +make start_headers_reader ``` -## Logs - -Currently, the only way to send logs to Traefik is to use `os.Stdout.WriteString("...")` or `os.Stderr.WriteString("...")`. - -In the future, we will try to provide something better and based on levels. - -## Plugins Catalog - -Traefik plugins are stored and hosted as public GitHub repositories. - -Every 30 minutes, the Plugins Catalog online service polls Github to find plugins and add them to its catalog. - -### Prerequisites - -To be recognized by Plugins Catalog, your repository must meet the following criteria: +Then start Traefik with the plugin: -- The `traefik-plugin` topic must be set. -- The `.traefik.yml` manifest must exist, and be filled with valid contents. - -If your repository fails to meet either of these prerequisites, Plugins Catalog will not see it. - -### Manifest - -A manifest is also mandatory, and it should be named `.traefik.yml` and stored at the root of your project. - -This YAML file provides Plugins Catalog with information about your plugin, such as a description, a full name, and so on. - -Here is an example of a typical `.traefik.yml`file: - -```yaml -# The name of your plugin as displayed in the Plugins Catalog web UI. -displayName: Name of your plugin - -# For now, `middleware` is the only type available. -type: middleware - -# The import path of your plugin. -import: github.com/username/my-plugin - -# A brief description of what your plugin is doing. -summary: Description of what my plugin is doing - -# Medias associated to the plugin (optional) -iconPath: foo/icon.png -bannerPath: foo/banner.png - -# Configuration data for your plugin. -# This is mandatory, -# and Plugins Catalog will try to execute the plugin with the data you provide as part of its startup validity tests. -testData: - Headers: - Foo: Bar +```bash +make testcontainer ``` -Properties include: - -- `displayName` (required): The name of your plugin as displayed in the Plugins Catalog web UI. -- `type` (required): For now, `middleware` is the only type available. -- `import` (required): The import path of your plugin. -- `summary` (required): A brief description of what your plugin is doing. -- `testData` (required): Configuration data for your plugin. This is mandatory, and Plugins Catalog will try to execute the plugin with the data you provide as part of its startup validity tests. -- `iconPath` (optional): A local path in the repository to the icon of the project. -- `bannerPath` (optional): A local path in the repository to the image that will be used when you will share your plugin page in social medias. - -There should also be a `go.mod` file at the root of your project. Plugins Catalog will use this file to validate the name of the project. +The traefik test configuration is located in the testconfig directory. -### Tags and Dependencies +And finally, make a request to the Traefik instance: -Plugins Catalog gets your sources from a Go module proxy, so your plugins need to be versioned with a git tag. - -Last but not least, if your plugin middleware has Go package dependencies, you need to vendor them and add them to your GitHub repository. - -If something goes wrong with the integration of your plugin, Plugins Catalog will create an issue inside your Github repository and will stop trying to add your repo until you close the issue. - -## Troubleshooting - -If Plugins Catalog fails to recognize your plugin, you will need to make one or more changes to your GitHub repository. +```bash +curl https://localhost -k +``` -In order for your plugin to be successfully imported by Plugins Catalog, consult this checklist: +The response should contain the header(s) you set up. -- The `traefik-plugin` topic must be set on your repository. -- There must be a `.traefik.yml` file at the root of your project describing your plugin, and it must have a valid `testData` property for testing purposes. -- There must be a valid `go.mod` file at the root of your project. -- Your plugin must be versioned with a git tag. -- If you have package dependencies, they must be vendored and added to your GitHub repository. +``` +Host: localhost +User-Agent: curl/7.81.0 +Accept: */* +X-Forwarded-For: 127.0.0.1 +X-Forwarded-Host: localhost +X-Forwarded-Port: 443 +X-Forwarded-Proto: https +X-Forwarded-Server: ri-t-0940 +X-Real-Ip: 127.0.0.1 +X-Tls-Cipher: TLS_AES_128_GCM_SHA256 +Accept-Encoding: gzip +``` diff --git a/testconfig/dynamic.yml b/testconfig/dynamic.yml new file mode 100644 index 0000000..1bf63a1 --- /dev/null +++ b/testconfig/dynamic.yml @@ -0,0 +1,22 @@ +http: + routers: + my-router: + rule: "PathPrefix(`/`)" + service: my-service + entryPoints: + - websecure + middlewares: + - my-middleware + + services: + my-service: + loadBalancer: + servers: + - url: "http://localhost:8888" + + middlewares: + my-middleware: + plugin: + tlsheaders: + headers: + cipher: X-TLS-Cipher diff --git a/testconfig/printheaders.py b/testconfig/printheaders.py new file mode 100644 index 0000000..8f2db7c --- /dev/null +++ b/testconfig/printheaders.py @@ -0,0 +1,18 @@ +import http.server +import socketserver + + +class MyRequestHandler(http.server.SimpleHTTPRequestHandler): + def do_GET(self): + response_body = "\n".join([f"{header}: {value}" for header, value in self.headers.items()]) + + self.send_response(200) + self.end_headers() + self.wfile.write(response_body.encode("utf-8")) + + +PORT = 8888 +if __name__ == "__main__": + with socketserver.TCPServer(("", PORT), MyRequestHandler) as httpd: + print(f"Serving on port {PORT}") + httpd.serve_forever() diff --git a/testconfig/traefik.yml b/testconfig/traefik.yml new file mode 100644 index 0000000..a90ae1c --- /dev/null +++ b/testconfig/traefik.yml @@ -0,0 +1,18 @@ +entryPoints: + websecure: + address: ":443" + http: + tls: {} + +providers: + file: + filename: "/etc/traefik/dynamic.yml" + +api: + dashboard: true + insecure: true + +experimental: + localPlugins: + tlsheaders: + moduleName: github.com/RiskIdent/traefik-tls-headers-plugin