diff --git a/CHANGELOG.md b/CHANGELOG.md index cbc279fe0..971c9d7b1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,44 @@ ## Changelog +### [v1.6.14](https://github.com/fabiolb/fabio/releases/tag/v1.5.14) - 9 Sep 2020 + + +#### Bug Fixes + +* [PR #644](https://github.com/fabiolb/fabio/pull/644) - Better error handling (@danlsgiga) + +* [PR #739](https://github.com/fabiolb/fabio/pull/739) - Fix infinite buffering of SSE responses when gzip is enabled (@ctlajoie) + +* [PR #733](https://github.com/fabiolb/fabio/pull/733) - Add missing entry to example route (@BenjaminHerbert) + +* [PR #674](https://github.com/fabiolb/fabio/pull/674) - Deprecate deregisterCriticalServiceAfter option (@pschultz) + +* [PR #648](https://github.com/fabiolb/fabio/pull/648) - Issue #647 NormalizeHost (@murphymj25) + +* [Issue #737](https://github.com/fabiolb/fabio/issues/737) - Preserve table state by storing buffer table in fixed strings (@leprechau) + +* [PR #774](https://github.com/fabiolb/fabio/pull/774) - Documentation fixes (@Oxflotus) + +* [PR #775](https://github.com/fabiolb/fabio/pull/775) - fix typo in comments (@josgraha) + +* [PR #787](https://github.com/fabiolb/fabio/pull/787) - fix matchingHostNoGlob sometimes returns incorrect host (@nathanejohnson @leprechau) + +#### Improvements + +* [PR #626](https://github.com/fabiolb/fabio/pull/626): Add TCP Dynamic support (@murphymj25) + +* [PR #635](https://github.com/fabiolb/fabio/pull/635): Add idleTimeout to config and to serve.go HTTP server (@galen0624) + +* [PR #572](https://github.com/fabiolb/fabio/pull/572): Issue #558 - Add Polling Interval from Fabio to Consul to Fabio Config (@galen0624) + +* [PR #615](https://github.com/fabiolb/fabio/pull/615): Issue #554 - Added compiled glob matching using LRU Cache (@galen0624 @magiconair @leprechau) + +* [PR #715](https://github.com/fabiolb/fabio/pull/715): Add HTTP method and path to trace span operation name (@hobochili) + +* [PR #489](https://github.com/fabiolb/fabio/pull/489): Pass encoded characters in path unchanged (@valentin-krasontovitsch) + +* [PR #784](https://github.com/fabiolb/fabio/pull/784): Add https+tcp+sni listener support (@nathanejohnson) + ### [v1.5.13](https://github.com/fabiolb/fabio/releases/tag/v1.5.13) - 18 Nov 2019 #### Bug Fixes diff --git a/Dockerfile-goreleaser b/Dockerfile-goreleaser index 1e0f7894b..aaa52bf0f 100644 --- a/Dockerfile-goreleaser +++ b/Dockerfile-goreleaser @@ -1,4 +1,4 @@ -FROM alpine:3.10 +FROM alpine:3.12 RUN apk update && apk add --no-cache ca-certificates COPY fabio /usr/bin ADD fabio.properties /etc/fabio/fabio.properties diff --git a/docs/content/faq/verifying-releases.md b/docs/content/faq/verifying-releases.md index afe20c47f..e452af454 100644 --- a/docs/content/faq/verifying-releases.md +++ b/docs/content/faq/verifying-releases.md @@ -7,6 +7,67 @@ and by verifying the checksums with a GPG key. You can verify the SHA256 checksums with the GPG key below. You can also download it from most key servers using the ID + +For fabio release 5.14 and newer: + +[`76462AB9B0C185ABC66FD98F59861FC4870361CA`](http://pgp.key-server.io/search/0x76462AB9B0C185ABC66FD98F59861FC4870361CA) + + -----BEGIN PGP PUBLIC KEY BLOCK----- + + mQINBF40mfQBEADHOlocoiOY66SLZtzJjCNKFeerYH2zHNU3sLK+sHp/76MUrPV4 + uDG3T6a6QK0HUKLy/hxKh/wftNCOaSYTwNVbYJ1EYBnBEgxuKNM8K5xOCKjwWrXF + J80xoXBJXXmJvOFHEoWjUnDAMVUJyf3bt0sT0vOA5OTdbd2LhimDOpeIiO/umZKp + 0ZsDcjUPUuIenqnKyk4UwAfXdWxrj2g5/But1n3nasvgtEtQg9CaSloh6Zgzcy+3 + I+jpCn2FLOay+THABkM+XmjSYudkIFlqsZwkB2GxwTaRXENt8QUK7i4GWVCcPN6x + gYgIz9uLZQXkkxGZvasC5fUm/W6F0pyz1wUbbizhDuBhoez3XdJdhW8nWCT6rg5M + ejgkSVoG/fqoG9SoFXeTlQjZJSc8+0pTgWsqnuwmM+eFllvORSKS7uwBNg7jvFPv + 4yLGCR5bGxTX7VM4XPkLR2pUF/nHmSohiGOWpqw+PRVwOWBBMi+r4c4SckR4MMOB + NK+KJTQnildsnqw/mvf98Op4GrAtD4MQDFRKD2TSIq60qFTe6MF77P50Z33r6x5x + CPN7XYTzZKPPiHf5uWtyOvH3V+vxHX2N0zAsRADXW+Jsly/Wwt0k8Km3beaF/Jvw + AFQwneh50L5Pv+Tb+8b6xS8gvIeGPgs4lcxRDxFEcFKN58OjtDelN212cQARAQAB + tCVhZG1pbkBmYWJpb2xiLm5ldCA8YWRtaW5AZmFiaW9sYi5uZXQ+iQJUBBMBCgA+ + FiEEdkYqubDBhavGb9mPWYYfxIcDYcoFAl40mfQCGwMFCQk/xgAFCwkIBwMFFQoJ + CAsFFgIDAQACHgECF4AACgkQWYYfxIcDYcqCgQ/8CfH2EBmBlHB7jlI4nFu17fqV + WTXxhuo2UcTCQ3G8at32V27FZTFq64rtY7/QmY3HyHhdn77NXzIlLDsaD07IEBpw + GFf05V1vVm/Y+DB/3vmHr+bEP5bB4RZqYz+U1cSGTEg2S3sOuz416gJdoCFN8Lin + 1fHRuGfZTJ2j2oQhUsYbt+GBpPm7xtpqK4yfCd4gT2vhDzbDG9QSLMrrLh/aA6Ya + IcZZCsXpnRPhfvPrp0LuIY9Lml+EaMfNxsoXYl2W5c+BpXG93ThSLKPc8XM/7e4A + CkRWNLKihVZNDmGCIy2FIFIV9YlEIhAAtZPhsUE3rnrIUgHETPYwDvAJB4pbJrLe + bwnRuWZlYNsPZp8W4RxbQVcHpsg+sWoyAkykWxs9FbxgXEGd0+wP5tumFquyfijg + eQLnsFU7KlQA+5Rh6ulrvzMNHFBYLoPa+U1soR6Jg0hCPhkzc+6tzTrmUCg7H7+i + 49szuN2KZr6k5GR+f2p9mOlnHmjJSJVULtnBQJMfTEnqzszvw9OgO1j72x7hTVRO + UQSV6NXr0GFr293iTJS1x2/zFETCZelxVwbyp0t/psDz8nv6aXMcSjzcoWgmRRcP + zpfNidLLp3Ym9XKtz7kvPI/PRTsHoO+qw6H6Kw8jMxxIv5hApCI/YOt5GFBlXmZq + hBckyt1rS0kW5zQsStS5Ag0EXjSZ9AEQAMrim1LXqnqdMJlc6sj++TZgoLeYmtSI + 4n/J1AGk9/BIumJKgCL5TPvUhz7HUWjhOqhtH/1/EyxPTI25Up7QcQKb0TYG/6Gn + 3mIeBsvTdPZWmwq0e7aCrTSU8bYNnuMKAFxlPPG/lu7v1QQkaPgbEMOZI7cDA7V8 + TLs/uQcAjGPdu2f2mJ/m+kgjeOwud+43CF4aI2/eVd39DqjjDrRImUc3OXypE4vW + PRq2ooSnS7VE0yU3QBubdPB8Y7x7R5bDE9fgLjZ9t//bSLgZfVzZoc7TvycH9opk + zr1LD4XEdZYFWc1h7++ci+f75/QQppPto3ItK61oUnpyO5J0Bl/Ay7086xU8b5Be + mPFDVMUE8SW2a+baaDKwbYUvImSI2CwNkCuYieGuAueMkY+Coe7AdaDhtuzINkby + e9ALGGbpRi/ByURQoW9akQt+ap7I8/bdp+IFYWT8K1HFogd5y0+TYaatpnT9jJYM + 64GtnDhyD2ncyLNM1a7YOn4e+WWiK8datzn962VsaSXjAPKvVROkgLoedDU9oiDm + ITDZgcsyY6ATgYmzlN2Qm8ubig1adZdGWsWzv0d9Qj8AEzsPqRVrQ6Ofc/sNi5Y3 + ELSOpWUOetbKEBFYe3oA2Bu6LOqd3lcKittWke3RMkehKFqxFdmBwjcrCtIjLicv + IemWK6rAAYmJABEBAAGJAjwEGAEKACYWIQR2Riq5sMGFq8Zv2Y9Zhh/EhwNhygUC + XjSZ9AIbDAUJCT/GAAAKCRBZhh/EhwNhyrzoEACe9SVpr6TaFvIcfcvj9d4FOmiK + Tgm64SEnYDDs6JhzD3p38Ut80d6y2vg9WUMUA3dhftbAyr/rqkZghiV3UhWJGPJm + AGWVG3p5TpSPCloFUlHHMWXCJm4UAoo75ud15PYD8CtUfOYc68A7a+9f+1dC5gRy + rVjBltWshsai+CjksRlg64wGMvJL7ghcsGoxFOzU/khGvo5JZ3OzObscYLxBKPnY + sUPerHnKB63CYxNfkd2aziapE7zXqoN1ZAFKwsBp38CiuBIT+8bb6+vAy9azfW/J + mGqjn4vfBUpdTsPbRRRI3CAoUN8R5QqVCCzV6hcv2p921ZWNpO0QxaHJYq0W3mwH + ls5eJOWJwx3qZ8ZB84fnuUb1YhzNjOSJDjgE8ZJ1iHf+ZTpqNRNbsyshfPcI5FYR + /PKPXTGNTeTFAXiQ/UjxFK/UEVWs3mDfqtyvC+Z5s7jCGabPwoOvWeHGMHUWWZRv + NU+TL+pUMWY29wKsDsk7zriokCDApNnJJb52/tIzk/XHMLPBjGSoYinKYMALYbAp + 6UvSeJ6cJ/+5vwXJadMyiYrsPPQiuVCUfVg6KcX6B/+2MaKoyY3s8DaZ1vFdtZcg + 1tjLI383GOEuDGfUDOgrlTikgpxbT2q4Zq80aQhPD8mMlpqdTO4UWfvwwx0FPH04 + 5xVKlvTztaHhtaWHkg== + =b3Un + -----END PGP PUBLIC KEY BLOCK----- + + +For release 5.13 and older: + [`D8B19A29317E92E470D7CD67021E03CADDA53977`](http://pgp.key-server.io/search/0xD8B19A29317E92E470D7CD67021E03CADDA53977) @@ -78,18 +139,18 @@ For example: ``` # This is the public key from above - one-time step. -gpg --import magiconair.asc +gpg --import fabiolb.asc # Download the binary and signature files. -curl -OsL https://github.com/eBay/fabio/releases/download/v1.3.2/fabio-1.3.2-go1.7.1_linux-amd64 -curl -OsL https://github.com/eBay/fabio/releases/download/v1.3.2/fabio-1.3.2.sha256 -curl -OsL https://github.com/eBay/fabio/releases/download/v1.3.2/fabio-1.3.2.sha256.sig +curl -OsL https://github.com/fabiolb/fabio/releases/download/v1.5.14/fabio-1.5.14-go1.7.1_linux-amd64 +curl -OsL https://github.com/fabiolb/fabio/releases/download/v1.5.14/fabio-1.5.14.sha256 +curl -OsL https://github.com/fabiolb/fabio/releases/download/v1.5.14/fabio-1.5.14.sha256.sig # Verify the signature file is untampered. -gpg --verify fabio-1.3.2.sha256.sig fabio-1.3.2.sha256 +gpg --verify fabio-1.5.14.sha256.sig fabio-1.5.14.sha256 # Verify the SHASUM matches the binary. -shasum -a 256 -c fabio-1.3.2.sha256 +shasum -a 256 -c fabio-1.5.14.sha256 ``` ## Note diff --git a/docs/content/feature/_index.md b/docs/content/feature/_index.md index 0a6a28984..e92a573f4 100644 --- a/docs/content/feature/_index.md +++ b/docs/content/feature/_index.md @@ -20,6 +20,7 @@ The following list provides a list of features supported by fabio. * [Server-Sent Events/SSE](/feature/sse/) - support for Server-Sent Events/SSE * [TCP Proxy Support](/feature/tcp-proxy/) - raw TCP proxy support * [TCP-SNI Proxy Support](/feature/tcp-sni-proxy/) - forward TLS connections based on hostname without re-encryption + * [HTTPS TCP-SNI Proxy Support](/feature/https-tcp-sni-proxy/) - forward TLS connections based on hostname without re-encryption, or fallback to fabio terminating TLS and path routing as a fallback * [Traffic Shaping](/feature/traffic-shaping/) - forward N% of traffic upstream without knowing the number of instances * [Web UI](/feature/web-ui/) - web ui to examine the current routing table * [Websocket Support](/feature/websockets/) - websocket support diff --git a/docs/content/feature/https-tcp-sni-proxy.md b/docs/content/feature/https-tcp-sni-proxy.md new file mode 100644 index 000000000..cbe654c5b --- /dev/null +++ b/docs/content/feature/https-tcp-sni-proxy.md @@ -0,0 +1,24 @@ +--- +title: "HTTPS TCP-SNI Proxy" +since: "1.5.14" +--- + +fabio can run a TCP+SNI routing proxy on a listener, and have fallback to https functionality. + This is effectively an amalgam of the TCP-SNI Proxy and the HTTPS functionality. + + To enable this feature configure a listener as follows: + + ``` + fabio -proxy.addr=':443;proto=https+tcp+sni;cs=somecertstore' + ``` + +For host matches that are proto=tcp or have a scheme of tcp://, this will proxy TCP using SNI. + +You would register your service in [Consul](https://consul.io) with a `urlprefix-` tag that +matches the host from the SNI extension for any services that should be proxied TCP (TLS +terminated by upstream). If the upstream service you'd like to proxy TCP responds to +`https://foo.com/...` then you should register a `urlprefix-foo.com/ proto=tcp` tag for this +service. + +For path based matching, you would do the typical `urlprefix-/path/` and this would cause +fabio to terminate TLS using the cs= line specified in the config. diff --git a/docs/content/ref/proxy.addr.md b/docs/content/ref/proxy.addr.md index 9b4e04abc..a3f50649f 100644 --- a/docs/content/ref/proxy.addr.md +++ b/docs/content/ref/proxy.addr.md @@ -22,6 +22,8 @@ The supported protocols are: * `grpcs` for GRPC+TLS based protocols * `tcp` for a raw TCP proxy with or witout TLS support * `tcp+sni` for an SNI aware TCP proxy +* `tcp-dynamic` for a consul driven TCP proxy +* `https+tcp+sni` for an SNI aware TCP proxy with https fallthrough If no `proto` option is specified then the protocol is either `http` or `https` depending on whether a @@ -56,8 +58,8 @@ to the destination without decrypting the traffic. http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt * `pxytimeout`: Sets PROXY protocol header read timeout as a duration (e.g. '250ms'). - This defaults to 250ms if not set when 'pxyproto' is enabled. - + This defaults to 250ms if not set when `pxyproto` is enabled. +* `refresh`: Sets the refresh interval to check the route table for updates. Used when `tcp-dynamic` is enabled. #### TLS options * `tlsmin`: Sets the minimum TLS version for the handshake. This value @@ -104,6 +106,12 @@ to the destination without decrypting the traffic. # TCP listener on port 443 with SNI routing proxy.addr = :443;proto=tcp+sni + # TCP listener on port 443 with SNI routing with HTTPS fallthrough + proxy.addr = :443;proto=https+tcp+sni;cs=some-name + + # TCP listeners using consul for config with 5 second refresh interval + proxy.addr = 0.0.0.0:0;proto=tcp-dynamic;refresh=5s + The default is proxy.addr = :9999