rpm/traefik
SHA256
1
0
Fork 0
forked from pool/traefik
Code Pull Requests Activity

Compare commits

merge into: rpm:factory
Branches Tags
rpm:factory rpm:devel pool:factory pool:devel
...
pull from: pool:factory
Branches Tags
pool:factory pool:devel rpm:factory rpm:devel

42 Commits
factory ... factory

Author SHA256 Message Date
Ana Guerrero
35640995f1 Accepting request 1302951 from devel:kubic 
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1302951
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/traefik?expand=0&rev=40
 2025-09-05 19:44:46 +00:00
Johannes Weberhofer
71062aa4fe Accepting request 1302155 from home:weberho:branches:devel:kubic 
- Removed old update scripts which fixes boo#1245204 for traefik reloease v3.
- Version 3.5.1
  Bug fixes:
    * accesslogs,otel
      - Provide Log Body in OTEL access Log 
    * acme
      - Bump github.com/go-acme/lego/v4 to v4.25.2
    * k8s/gatewayapi
      - Make app protocol case insensitive
    * otel
      - Fix misspelling in docs
    * server
      - Bump to github.com/pires/go-proxyproto v0.8.1
      - Silent expected errors on receiving sigterm signal
    * tracing
      - Fix capturedRequestHeaders and capturedResponseHeaders headers
      options not being canonicalized in tracing
      - Follow OTel semantic conventions for root span naming
    * webui
      - Update Traefik Proxy dashboard UI development deps
    * docker
      - Bump github.com/docker/docker to v28.3.3 (#12007 by kevinpollet)
    * Refactor to use reflect.TypeFor
- Version 3.5.0
Please read the migration guide:
https://doc.traefik.io/traefik/migration/v3/#v350
Enhancements:
  * acme
    - Add acme.httpChallenge.delay option
    - Allow configuration of ACME provider http timeout
    - OCSP stapling
  * healthcheck
    - Add unhealthy Interval to the health check configuration
    - Add url option to healthcheck command
  * k8s/gatewayapi
    - Bump sigs.k8s.io/gateway-api to v1.3.0
  * k8s/ingress
    - Make the behavior of prefix matching in Ingress consistent with
    Kubernetes doc
  * k8s
    - NGINX Ingress Provider
  * middleware,authentication
    - Handle context canceled in ForwardAuth middleware
  * plugins
    - Ability to enable unsafe in yaegi through plugin manifest
  * tls
    - Introduce X25519MLKEM768 for Post-Quantum-Secure TLS
  * webui
    - Improve visualization for StatusRewrites option of errors middleware
    - Migrate Traefik Proxy dashboard UI to React
Bug fixes:
  * healthcheck
    - Revert 11711 adding url param to healthcheck command
  * logs,metrics,tracing,accesslogs,otel
    - Add missing resource attributes detectors
  * logs,tracing,k8s,otel
    - Add k8s resource attributes automatically
  * metrics,otel
    - Add resourceAttributes option to OTel metrics
  * middleware,tracing
    - Introduce trace verbosity config and produce less spans by default
- Synchronized changelog with boo tickets and cve entries
- Version 3.4.5
  * logs
    - Redact logged install configuration (gh#traefik/traefik#11907 by jspdown)
  * plugins
    - Fix client arbitrary file access during archive extraction zipslip
      (gh#traefik/traefik#11911 by odaysec)
  * server
    - Disable MPTCP by default (gh#traefik/traefik#11918 by rtribotte)
  * http3
    - Bump github.com/quic-go/quic-go to v0.54.0 (gh#traefik/traefik#11919 by GreyXor)
- Fixed boo#1246094 bad logrotate configuration allows potential escalation
  from traefik to root
- Disabled MPTCP which caused issues (see gh#traefik/traefik#11869
- Version 3.4.4
  - k8s/gatewayapi
    * Respect service.nativelb=false annotation when nativeLBByDefault is
      enabled (gh#traefik/traefik#11847 by sdelicata)
  - service
    * Fix concurrent access to balancer status map in WRR and P2C 
      strategies (gh#traefik/traefik#11887 by kevinpollet)
- Version 3.4.3
  - http3
    * Bump quic-go to v.0.49.0
  - middleware
    * Do not log redis sentinel username and password
- Improved logging
- Added logrotate configuration
- Allow reloading the traefik-service via systemctl
- Removed manual download service and manual checksum verification
- Version 3.4.1
  - fix for CVE-2025-47952 boo#1243818
  - docker
    * Do not warn network missing if connected to a container network
      (#11698 by holysoles)
  - k8s/crd
    * Fix CEL validation for RootCA in ServersTransport (#11775 by rtribotte)
  - middleware
    * Scope the rate limit counter key by source and by middleware
      (#11753 by aromeyer)
  - server
    * Use routing path in v3 matchers (#11790 by kevinpollet)
  - service
    * Make P2C strategy thread-safe (#11762 by lbenguigui)
  - webui
    * Do not display RemoveHeader option when not defined (#11782 by kevinpollet)
- Important: please read the migration guide in regards to v3.4.0 changes
- Version 3.4.0 changes
  - acme
    * Add acme.profile and acme.emailAddresses options (#11597 by ldez)
  - docker,ecs,docker/swarm,consulcatalog,nomad
    * Allow configuring server URLs with label providers (#11374 by yelvert)
  - k8s/crd
    * Improve CEL validation on Ingress CRD resources (#11311 by mloiseleur)
    * Remove default load-balancing strategy from CRD (#11701 by kevinpollet)
    * Restrict regex validation of HTTP status codes for Ingress CRD resources (#11670 by jnoordsij)
  - k8s/gatewayapi
    * Set rule priority in Gateway API TLSRoute (#11443 by augustozanellato)
  - k8s/ingress
    * Add ingress status for ClusterIP and NodePort Service Type (#11100 by mlec1)
  - middleware,authentication
    * Add option to preserve request method in forwardAuth (#11473 by an09mous)
  - middleware
    * Support rewriting status codes in error page middleware (#11520 by sevensolutions)
    * Add Redis rate limiter (#10211 by longquan0104)
  - service
    * Add p2c load-balancing strategy for servers load-balancer (#11547 by rtribotte)
  - sticky-session
    * Support domain configuration for sticky cookies (#11556 by jleal52)
  - tls,k8s/crd,service
    * Allow root CA to be added through config maps (#11475 by Nelwhix)
  - tls
    * Add support to disable session ticket (#11609 by avdhoot)
  - udp
    * Add support for UDP routing in systemd socket activation (#11022 by tsiid)
  - webui
    * Add auto webui theme option and default to it (#11455 by zizzfizzix)
  - Replace experimental maps and slices with stdlib (#11350 by Juneezee)
  - Bump github.com/redis/go-redis/v9 to v9.7.3 (#11687 by kevinpollet)
- Important: Please read the migration guide in regards to v3.3.6 changes
- Version 3.3.6 changes
  * The incoming request path is now cleaned before being used to
    match the router rules and sent to the backends. Any /../, /./ or duplicate
    slash segments in the request path is interpreted and/or collapsed.
  * Bump golang.org/x/net to v0.38.0
    Fix for boo#1241731 and boo#1241733: CVE-2025-22872
  - Bump golang.org/x/oauth2 to v0.28.0
      Fix for boo#1239228 CVE-2025-22868
- Please read the migration guide in regards to v3.3.5 changes
- Version 3.3.5 changes
  - k8s/gatewayapi
    * Set scheme to https with BackendTLSPolicy (#11586 by rtribotte)
  - middleware
    * Revert compress middleware algorithms priority to v2 behavior (#11641 by rtribotte)
    * Do not abort request when response content-type is malformed (#11628 by kevinpollet)
    * Compress data on flush when compression is not started (#11583 by kevinpollet)
  * Updates
    - Bump github.com/go-jose/go-jose/v4 to v4.0.5
      fix boo#1237621 CVE-2025-27144
    - Bump github.com/golang-jwt/jwt to v4.5.2 and v5.2.2
      fix boo#1240454 CVE-2025-30204
    - Bump x/crypto to v0.35.0
      fix for boo#1239383 CVE-2025-22869, boo#1239363 CVE-2025-22869
- Change traefik user's home directory to /var/lib/traefik. This
  will allow traefik to store data for plugins from https://plugins.traefik.io/plugins
  without permission issues
  This change will reflect on existing installations automatically
- Version 3.3.4 changes
  - fastproxy
    * Bump github.com/valyala/fasthttp to v1.58.0 (#11526 by kevinpollet)
    * Add WebSocket headers if they are present in the request (#11522 by kevinpollet)
    * Chunked responses does not have a Content-Length header (#11514 by kevinpollet)
  - metrics, otel
    * Change request duration metric unit from millisecond to second (#11523 by rtribotte)
  - sticky-session
    * Fix double hash in sticky cookie (#11518 by juliens)
  - tracing
    * Use ResourceAttributes instead of GlobalAttributes (#11515 by bruno-de-queiroz)
    * Fix panic when calling Tracer (#11479 by basgys)
- Upgrade fixed boo#1235167
- Package mentioned in boo#1235270 CVE-2024-45338 has been upgraded
- Version 3.3.3 changes
  - api
    * Do not create observability model by default (#11476 by rtribotte)
  - fastproxy
    * Fix content-length header assertion (#11498 by kevinpollet)
    * Handle responses without content length header (#11458 by rtribotte)
  - k8s/crd, k8s
    * Add missing headerField in Middleware CRD (#11499 by jspdown)
  - tracing, accesslogs
    * Bring back TraceID and SpanID fields in access logs (#11450 by rtribotte)
- Fix possible privilege escalation when mofing the acme.json file to the new
  location. Thanks Johannes Segitz (fix for boo#1235408)
- Version 3.3.2
  - fastproxy
    * Do not read response body for HEAD requests (gh#traefik/traefik#11442)
  - metrics,tracing,accesslogs
    * Fix observability configuration on EntryPoints (gh#traefik/traefik#11446)
  - webui
    * Set content-type when serving webui index  (gh#traefik/traefik#11428)
- Version 3.3.1 changes
  - acme
    * Add options to control ACME propagation checks (#11241 by ldez)
  - api
    * Add support dump API endpoint (#11328 by mmatur)
  - http
    * Set Host header in HTTP provider request (#11237 by nikonhub)
  - k8s/crd, k8s
    * Make the IngressRoute kind optional (#11177 by skirtan1)
  - k8s/ingress, sticky-session, k8s/crd,k8s
    * Support serving endpoints (#11121 by BZValoche)
    * Fix fenced server status computation (#11361 by kevinpollet)
  - logs, accesslogs
    * OpenTelemetry Logs and Access Logs (#11319 by rtribotte)
    * Add experimental flag for OTLP logs integration (#11335 by kevinpollet)
  - metrics, tracing, accesslogs
    * Manage observability at entrypoint and router level (#11308 by rtribotte)
  - middleware, authentication
    * Add an option to preserve the ForwardAuth Server Location header (#11318 by Nelwhix)
    * Only calculate basic auth hashes once for concurrent requests (#11143 by michelheusschen)
    * Send request body to authorization server for forward auth (#11097 by kyo-ke)
  - plugins
    * Add AbortOnPluginFailure option to abort startup on plugin load failure (#11228 by bmagic)
  - sticky-session
    * Configurable path for sticky cookies (#11165 by IIpragmaII)
  - webui, api
    * Configurable API & Dashboard base path (#11250 by rtribotte)
- Version 3.2.5
  - websocket,server 
    * Disable http2 connect setting for websocket by default 
      (gh#traefik/traefik#11412)
- Version 3.2.4
  - acme
    * Update go-acme/lego to v4.21.0 (gh#traefik/traefik#11368)
  - k8s/gatewayapi
    * Support empty value for core Kubernetes API group (gh#traefik/traefik#11386)
  - middleware
    * Fix typo in basicauth note (gh#traefik/traefik#11397)
  - service
    * Configure ErrorLog in httputil.ReverseProxy (gh#traefik/traefik#11344)
  - tls
    * Upgrade github.com/spiffe/go-spiffe/v2 to v2.4.0 (gh#traefik/traefik#11385)
  - Remove duplicate github.com/coreos/go-systemd dependency (gh#traefik/traefik#11354)
  - Bump golang.org/x/net to v0.33.0 (gh#traefik/traefik#11365)
    mentioned in boo#1235256 CVE-2024-45338
- Version 3.2.3 
  - Fix for boo#1234513 CVE-2024-4533
  - acme
    * Update go-acme/lego to v4.20.4 (gh#traefik/traefik#11295)
  - http3
    * Update github.com/quic-go/quic-go to v0.48.2 (gh#traefik/traefik#11320)
  - docker,docker/swarm
    * Rename traefik.docker.* labels for Docker Swarm to traefik.swarm.* (gh#traefik/traefik#11247)
  - plugins
    * Fix WASM settings (gh#traefik/traefik#11321)
  - rules
    * Fix models mechanism for default rule syntax (gh#traefik/traefik#11300)
  - server
    * Update golang.org/x dependencies (gh#traefik/traefik#11336, CVE-2024-45337, boo#1234502)
- golang-jwt has been updated to version 4.5.1 to fix CVE-2024-51744 and boo#1232940
- Version 3.2.1 changes
  - acme
    * Update go-acme/lego to v4.20.2 (gh#traefik/traefik#11263 by ldez)
  - logs
    * Change level of peeking first byte error log to DEBUG for Postgres 
      (gh#traefik/traefik#11270 by rtribotte)
  - k8s/ingress,k8s
    * Fix HostRegexp config for rule syntax v2 (gh#traefik/traefik#11288 by kevinpollet)
  - logs Change level of peeking first byte error log to DEBUG for Postgres
    (gh#traefik/traefik#11270 by rtribotte, gh#traefik/traefik#11254 by rtribotte)
  - service
    * Fix internal handlers ServiceBuilder composition (gh#traefik/traefik#11281 by juliens)
  - service,fastproxy Fix case problem for websocket upgrade
    (gh#traefik/traefik#11246 by juliens)
  - server
    * Change level of peeking first byte error log to DEBUG (gh#traefik/traefik#11254 by rtribotte)
    * Apply keepalive config to h2c entrypoints (gh#traefik/traefik#11276 by davefu113)
  - middleware,server
    * Drop untrusted X-Forwarded-Prefix header (gh#traefik/traefik#11253 by rtribotte)
- Update from 3.1.6 to 3.2.0
- Important: please read the migration guide when migrating to version 3.2.0
- Version 3.2.0 changes
  - acme
      * Remove same email requirement for certresolvers (#11019 by Emrio)
      * Add support for custom CA certificates by certificate resolver (#10816 by ldez)
      * Add 30 day certificatesDuration step (#10970 by luker983)
  - docker
      * Support HTTP BasicAuth for docker and swarm endpoint (#10776 by 985492783)
  - k8s, k8s/gatewayapi
      * Add supported features to the Gateway API GatewayClass status (#11056 by rtribotte)
      * Update sigs.k8s.io/gateway-api to v1.2.0-rc1 (#11124 by rtribotte)
      * Add support for backend protocol selection in HTTP and GRPC routes (#11051 by rtribotte)
      * Improve Kubernetes GatewayAPI TCPRoute and TLSRoute support (#11042 by rtribotte)
      * Support HTTPRoute destination port matching (#11134 by kevinpollet)
      * Bump sigs.k8s.io/gateway-api to v1.2.0-rc2 (#11131 by kevinpollet)
      * Add support for Gateway API BackendTLSPolicies (#11009 by rtribotte)
      * Support NativeLB option in GatewayAPI provider (#11147 by rtribotte)
      * Support ResponseHeaderModifier filter (#10987 by kevinpollet)
      * Support GRPC routes (#10975 by kevinpollet)
      * Bump sigs.k8s.io/gateway-api to v1.2.0 (#11167 by rtribotte)
      * Ensuring Gateway API reflected Traefik resource name unicity (#11222 by rtribotte)
      * Preserve GRPCRoute filters order (#11199 by kevinpollet)
      * Support http and https appProtocol for Kubernetes Service (#11176 by WillDaSilva)
      * Avoid updating Accepted status for routes matching no Gateways (#11170 by rtribotte)
      * Do not update gateway status when not selected by a gateway class (#11169 by kevinpollet)
      * Document nativeLBByDefault annotation on Kubernetes Gateway provider (#11209 by mloiseleur)
  - k8s/crd, k8s
      * Detail CRD update with v3.2 in the migration guide (#11164 by mloiseleur)
  - k8s/gatewayapi
      * Add missing RBAC in the migration guide (#11189 by mloiseleur)
  - k8s
      * Fix instructions for downloading CRDs of Gateway API v1.2 (#11191 by mloiseleur)
  - metrics, otel
      * Allow setting service.name for OTLP metrics (#10917 by cmartell-at-ocp)
  - middleware
      * Record trace id and EntryPoint span id into access log (#10921 by weijiany)
      * Support LogUserHeader with forwardAuth middleware (#10833 by GaleHuang)
      * Add encodings option to the compression middleware (#10943 by wollomatic)
      * Add support for ipv6 subnet in ipStrategy (#9747 by michal-kralik)
  - nomad
      * Support for watching instead of polling Nomad (#10997 by deverton-godaddy)
  - server
      * Introduce a fast proxy mode to improve HTTP/1.1 performances with backends (#11122 by kevinpollet)
      * Configurable max request header size (#10995 by lucasrod16)
  - service
      * Add mirrorBody option to HTTP mirroring (#11032 by MatteoPaier)
      * Add an option to preserve server path (#11192 by mmatur)
      * Detect and drop broken conns in the fastproxy pool (#11212 by kevinpollet)
  - Merge branch v3.1 into v3.2 (#11219 by kevinpollet)
  - Merge branch v3.1 into master (#11153 by kevinpollet)
- Version 3.1.7 changes
  - k8s
    * Preserve HTTPRoute filters order (#11198 by kevinpollet)
  - Merge branch v2.11 into v3.1
- Update from 3.1.4 to 3.1.6
- Version 3.1.6 changes
  - middleware
    * Reuse compression writers (#11168 by michelheusschen)
    * Use correct default weight in Accept-Encoding (#11084 by michelheusschen)
  - plugins
    * Close wasm middleware to prevent memory leak (#11151 by ttys3)
- Version 3.1.5 changes
  - k8s, ingress
    * Disable IngressClass lookup when disableClusterScopeResources is enabled (#11111 by jnoordsij)
  - server
    * Rework condition to not log on timeout (#11132 by rtribotte)
  - Merge branch v2.11 into v3.1
- Update to version 3.1.4
  - Fixes CVE-2024-45410, boo#1230842
  - k8s, ingress, rules, crd
    * Allow configuring rule syntax with Kubernetes Ingress annotation
    * Re-allow empty configuration for Kubernetes Ingress provider
    * Remove mentions about APIVersion traefik.io/v1
    * Update quick-start-with-kubernetes.md to include required permissions
  - middlewares, metrics
    * Wrap capture for services used by pieces of middleware
    * Mention missing metrics removal in the migration guide
    * Guess Datadog socket type when prefix is unix
  - plugins
    * Removes goexport dependency and adds _initialize
  - tracing
    * Fix tracing documentation
    * OTLP doc + potential panic
- Update ldflags to point to correct traefik version (v3 instead of v2)
- Moved /etc/traefik/acme.json to /var/lib/traefik/acme.json to allow traefik
  running with "ProtectSystem=full" write access to the certificate store.
  The acme.json file will be automatically moved and the configuration will be
  updated accordingly.
- Added /usr/lib/sysctl.d/90-itraefik.conf to increase UDP Buffer sizes as explained
   at https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes
- Fixed service-file: set working directory, so that the /etc/traefik/acme.json
  file can be written in /etc/traefik/acme.json
- Update to version 3.1.1
  - Bug fixes:
    * grpc: Bump google.golang.org/grpc to v1.64.1
    * k8s/gatewayapi: Do not update route status when nothing changed
    * metrics
      - Fix grafana dashboard to work with scrape interval greater than 15s
      - Update open connections gauge with connections count
      - Use ServiceName in traefik_service_server_up metric
    * docker: Update to github.com/docker/docker v27.1.1
    * webui: Upgrade webui dependencies - fixes boo#1224308 and CVE-2024-4068
- Run traefik as traefik user, fixes boo#1227226
- Added ACME confiuration template
- Update to version 3.1.1
  - Bug fixes:
    * k8s/gatewayapi
      - Do not update route status when nothing changed
    * metrics
      - Fix grafana dashboard to work with scrape interval greater than 15s
      - Update open connections gauge with connections count
      - Use ServiceName in traefik_service_server_up metric
  - Updates
- Fix for CVE-2024-6104, boo#1227059
Important: Please read the migration guide
https://doc.traefik.io/traefik/v3.1/migration/v3/#v30-to-v31
- Update to version 3.1.0
  - enhancements:
    * k8s/crd,k8s
      - Support HealthCheck for ExternalName services
    * k8s/ingress,k8s/crd,k8s
      - Allow to use internal Node IPs for NodePort services
      - Change log level from Warning to Info when ExternalName services
      is enabled
    * k8s/ingress,k8s/crd,k8s,k8s/gatewayapi
      - Migrate to EndpointSlices API
    * k8s,k8s/gatewayapi
      - Bump Gateway API to v1.1.0
      - Compute HTTPRoute priorities
      - Fix route attachments to gateways
      - KubernetesGateway provider is no longer experimental
      - Set Gateway HTTPRoute status
      - Support HTTPRoute method and query param matching
      - Support HTTPURLRewrite filter
      - Support invalid HTTPRoute status
      - Support ReferenceGrant for HTTPRoute backends
      - Support RegularExpression for path matching
    * middleware
      - Add support for Zstandard to the compression middleware
    * middleware,k8s,k8s/gatewayapi
      - Improve HTTPRoute Redirect Filter with port and scheme
      - Support HTTPRoute redirect port and scheme
    * middleware
      - Support Content-Security-Policy-Report-Only in the headers middleware
    * plugins
      - Add logs for plugins load
      - Enhance wasm plugins
    * server
      - Support systemd socket-activation
  - Bug fixes:
    * healthcheck,k8s/crd,k8s
      - Fix Healthcheck default value for ExternalName services
    * k8s,k8s/gatewayapi
      - Do not disable Gateway API provider if not enabled in experimental
      - Retry on Gateway API resource status update
    * middleware,metrics,tracing
      - Upgrade to OpenTelemetry Semantic Conventions v1.26.0
    * otel
      - Bump opentelemetry-go to v1.28
    * plugins
      - Fix build only linux and darwin support wazergo
- Update to version 3.0.4
  * Bug fixes:
    - Fix for CVE-2024-39321 bsc#1227515
    - [ecs] Fix ECS config for OIDC + IRSA (gh#traefik/traefik#10814 by mmatur)
    - [http3] Disable QUIC 0-RTT (gh#traefik/traefik#10867 by mmatur)
    - [middleware,server] Remove interface names from IPv6 (gh#traefik/traefik#10813 by JeroenED)
- Update to version 3.0.3
  * Updated libraries
- Update to version 3.0.2
  * Bug fixes:
    [logs] Bump OTel dependencies (#10763 by DrFaust92)
    [logs] Append to log file if it exists (#10756 by lbenguigui)
    [metrics] Fix service name label_replace in Grafana (#10758 by xdavidwu)
    [middleware] Forward the correct status code when compression is disabled within the Brotli handler (#10780 by rtribotte)
    [middleware] Support Accept-Encoding header weights with Compress middleware (#10777 by ldez)
- Fix in traefik.yml configuration file
- Update to version 3.0.1
  * CVEs:
    * CVE-2024-24788 (bsc#1224018): A malformed DNS message in response to a
      query can cause the Lookup functions to get stuck in an infinite loop.
  * Bug fixes:
    * [k8s/ingress] Fix rule syntax version for all internal routers
      (gh#traefik/traefik#10689 by HalloTschuess)
    * [metrics,tracing] Allow empty configuration for OpenTelemetry metrics
      and tracing (gh#traefik/traefik#10729 by rtribotte)
    * [provider,tls] Bump tscert dependency to 28a91b69a046
      (gh#traefik/traefik#10668 by kevinpollet)
    * [rules,tcp] Fix the rule syntax mechanism for TCP
      (gh#traefik/traefik#10680 by lbenguigui)
    * [tls,server] Remove deadlines when handling PostgreSQL connections
      (gh#traefik/traefik#10675 by rtribotte)
    * [webui] Add support for IP White list
      (gh#traefik/traefik#10740 by davidbaptista)
- Packaging:
  * Use Traefik's src.tar.gz files containing a pre-built frontend to simplify the packaging process
  * Fixes bsc#1224308 and bsc#1224384
- Removed allow-node-21.patch and prepare-sources.sh script
- Moved configuraton from .toml to .yml config
- Update to version 3.0.0
  * Announcment: https://traefik.io/blog/announcing-traefik-proxy-v3-rc/
    * added support for popular, emerging technologies—WebAssembly (Wasm), 
      OpenTelemetry, and Kubernetes Gateway API
    * revamped some key parts of the routing rules
    * added support for some leading edge technologies like HTTP/3, SPIFFE, and Tailscale
  * Migration guide: https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/
  * Details: https://github.com/traefik/traefik/releases/tag/v3.0.0
- Added allow-node-21.patch to allow building with nodejs21, too
- Removed traefik-fix-int-overflow-with-go-generate-10452.patch
- Update to version 2.11.2
  * Fix for boo#1235167 CVE-2024-28180
  
  * Important
    * Read the migration guide at https://doc.traefik.io/traefik/migration/v2/#v2112
  * CVEs:
    * GHSA-7f4j-64p6-5h5v (related to CVE-2023-45288)
    * CVE-2024-28869 (bsc#1222825)
  * Bug fixes:
    * [server] Revert LingeringTimeout and change default value for ReadTimeout
    * [server] Set default ReadTimeout value to 60s
- Update to version 2.11.1:
  * Bug fixes:
    * [acme,tls] Enforce handling of ACME-TLS/1 challenges
    * [acme] Update go-acme/lego to v4.16.1
    * [acme] Close created file in ACME local store CheckFile func
    * [docker,http3] Update to quic-go v0.42.0 and docker/cli v24.0.9
    * [docker,marathon,rancher,ecs,tls,nomad] Allow to configure TLSStore default generated certificate with labels
    * [ecs] Adjust ECS network interface detection logi
    * [logs,tls] Fix log when default TLSStore and TLSOptions are defined multiple times
    * [middleware] Allow empty replacement with ReplacePathRegex middleware
    * [plugins] Update Yaegi to v0.16.1
    * [provider,rules] Don't allow routers higher than internal ones
    * [rules] Reserve priority range for internal router
    * [server,tcp] Introduce Lingering Timeout
    * [tcp] Enforce failure for TCP HostSNI with hostname
    * [tracing] Bump Elastic APM to v2.4.8
    * [webui] Fix dashboard exposition through a router
    * [webui] Display IPAllowlist middleware configuration in dashboard
    * [webui] Make text more readable in dark mode
    * [webui] Migrate to Quasar 2.x and Vue.js 3.x
    * [webui] Add a horizontal scroll for the mobile view
- Remove node_modules.sums left over by obs-service-node_modules 
- configuration changes:
  * Enhanced default configuration file, including configs for http3 support.
  * Docker configuration has been disabled per default, file provider has been enabled.
    The directory for the file provider has been set to /etc/traefik/conf.d
  * Prepared directories for logging in /var/log/traefik
  * Enhanced default configuration file, including configs for http3 support. Settings
    are disabled per default.
- packaging general:
  * Use standard source-download feature, modified _service file and removed _servicedata
  * packagers can invoke `prepare-sources.sh` to doenload sources and prepare go-packages
    as well as node_modules for the built process.
- frontend packaging:
  * The frontend will now be packaged on OBS to have reproduceable builds.
- Go packaging: 
  * Added upstream patch traefik-fix-int-overflow-with-go-generate-10452.patch to
    allow packaging on 32bit architectures gh#traefik/traefik#10451
  * Enabled CGO because there is no cross compilation needed in OSB (we build
    packages for every distribution/architecture seperately). PIE can not be used
    with CGO enabled for most architectures and is reported as failure sinc go 1.22.
    See https://github.com/golang/go/issues/64875
  * Don't use pie-buildmode for ppc64 and s390x architectures
- Update to version 2.11.0:
  * Enhancements:
    * [middleware] Deprecate IPWhiteList middleware in favor of IPAllowList
    * [redis] Add Redis Sentinel support
    * [server] Add KeepAliveMaxTime and KeepAliveMaxRequests features to entrypoints
    * [sticky-session] Hash WRR sticky cookies
  * Bug fixes:
    * [acme] Update go-acme/lego to v4.15.0
    * [authentication] Fix NTLM and Kerberos
    * [file] Fix file watcher
    * [file] Update github.com/fsnotify/fsnotify to v1.7.0
    * [http3] Update quic-go to v0.40.1
    * [middleware,tcp] Add missing TCP IPAllowList middleware constructor
    * [nomad] Update the Nomad API dependency to v1.7.2
    * [server] Fix ReadHeaderTimeout for PROXY protocol
    * [webui] Fixes the Header Button
    * [webui] Fix URL encode resource's id before calling API endpoints
- Fixed packaging of UI
- Update to version 2.10.7:
  * CVEs:
    * CVE-2023-45283 (boo#1216943)
    * CVE-2023-45284 (boo#1216944)
    * CVE-2023-47124 (boo#1217806)
    * CVE-2023-47633 (boo#1217807)
    * CVE-2023-47106 (boo#1217804)
    * GHSA-7v4p-328v-8v5g, CVE-2023-39325 (boo#1216109)
  * Bug fixes:
      * [accesslogs] Fix preflight response status in access logs
      * [accesslogs] Move origin fields capture to service level
      * [acme] Do not check for wildcard domains for non DNS challenge
      * [acme] Remove backoff for http challenge (CVE-2023-47124)
      * [acme] Update go-acme/lego to v4.14.0
      * [consul,consulcatalog] Update github.com/hashicorp/consul/api
      * [http3] Update quic-go to v0.39.1
      * [k8s/crd] Fix multiple subsets endpoint
      * [k8s/ingress,k8s/crd,k8s,hub] Clean code related to Hub
      * [k8s/ingress,k8s] fix: avoid panic on resource backends
      * [kv] Ignore ErrKeyNotFound error for the KV provider
      * [logs] Fixed datadog logs json format issue
      * [metrics] Enable Prometheus provider cleanup when only the router's metrics level is activated
      * [middleware,authentication] Adjust forward auth to avoid connection leak
      * [middleware,server] Improve CNAME flattening to avoid unnecessary error logging
      * [middleware,tracing,plugins] fix: traceability of the middleware plugins
      * [middleware] Allow X-Forwarded-For delete operation
      * [middleware] Encode query semicolons
      * [middleware] Fix stripPrefix middleware is not applied to retried attempts
      * [middleware] Missing trailer with custom errors middleware
      * [middleware] Support informational headers in middlewares redefining the response writer
      * [plugins] Improve error messages related to plugins
      * [provider] Refuse recursive requests (CVE-2023-47633)
      * [server] Deny request with fragment in URL path (CVE-2023-47106)
      * [server] Update x/net and grpc/grpc-go
      * [tracing] Remove deprecated code usage for datadog tracer
      * [tracing] Update DataDog tracing dependency to v1.50.1
      * [webui] Add missing accessControlAllowOriginListRegex to middleware view
      * Fix false positive in url anonymization
    * Misc:
      * [webui] Updates the Hub tooltip content using a web component and adds an option to disable Hub button
- Update Go version (CVE-2023-45283, CVE-2023-45284, CVE-2023-39325)
- Update to version 2.10.1:
  * CVEs
    * CVE-2022-41724 (bsc#1208271)
    * CVE-2023-24534 (bsc#1210127)
    * CVE-2023-29013 (bsc#1210505)
  * Enhancements
    * [docker] Expose ContainerName in Docker provider
    * [hub] Remove hub configuration out of experimental
    * [k8s/crd] Introduce traefik.io API Group CRDs
    * [k8s/ingress,k8s/crd,k8s] Native Kubernetes service load-balancing
    * [middleware,metrics] Add prometheus metric requests_total with headers
    * [nomad] Support multiple namespaces in the Nomad Provider
    * [tracing] Add support to send DataDog traces via Unix Socket
    * [webui] Display period setting of the RateLimit middleware in the webui
    * [webui] Modify the Hub Button
  * Bug fixes
    * [docker] Expose ContainerName in Docker provider
    * [docker] Only warn about missing docker network when network_mode is not host or container
    * [ecs] Prevent panicking when a container has no network interfaces
    * [file] Make file provider more resilient wrt first configuration
    * [hub] hub: get out of experimental.
    * [k8s/crd] Introduce traefik.io API Group CRDs
    * [k8s/ingress,k8s/crd,k8s] Native Kubernetes service load-balancing
    * [logs] Differentiate UDP stream and TCP connection in logs
    * [metrics] Include user-defined default cert for traefik_tls_certs_not_after metric
    * [middleware,metrics] Add prometheus metric requests_total with headers
    * [middleware] Prevent from no rate limiting when average is zero
    * [middleware] Prevents superfluous WriteHeader call in the error middleware
    * [middleware] Sanitize X-Forwarded-Proto header in RedirectScheme middleware
    * [nomad] Fix default configuration settings for Nomad Provider
    * [nomad] Fix Nomad client TLS defaults
    * [nomad] Support multiple namespaces in the Nomad Provider
    * [plugins] Improve DeepCopy of PluginConf
    * [server] Remove User-Agent header removal from ReverseProxy director func
    * [tls,tcp] Adds the support for IPv6 in the TCP HostSNI matcher
    * [tracing] Add support to send DataDog traces via Unix Socket
    * [server] Update golang.org/x/net to v0.7.0 (CVE-2022-41724)
- Update Go version (CVE-2023-24534, CVE-2023-29013)
- Update to version 2.9.6:
  * CVEs
    * CVE-2022-23469
    * CVE-2022-46153
    * CVE-2022-41717
  * Bug fixes
    * [acme] Update go-acme/lego to v4.9.1
    * [k8s/crd] Support of allowEmptyServices in TraefikService
    * [logs] Remove logs of the request
    * [plugins] Increase the timeout on plugin download
    * [server] Update golang.org/x/net (CVE-2022-41717, bsc#1207208)
    * [tls] Handle broken TLS conf better
    * [tracing] Update DataDog tracing dependency to v1.43.1
    * [webui] Add missing serialNumber passTLSClientCert option to middleware panel
- Update to version 2.9.5:
  * Enhancements
    * [acme,tls] ACME Default Certificate
    * [consul,etcd,zk,kv,redis] Update valkeyrie to v1.0.0
    * [consulcatalog,nomad] Support Nomad canary deployment
    * [consulcatalog] Move consulcatalog provider to only use health apis
    * [docker] Add support for reaching containers using host networking on Podman
    * [docker] Use IPv6 address
    * [docker] Add allowEmptyServices for Docker provider
    * [ecs] Add support for ECS Anywhere
    * [healthcheck] Add a method option to the service Health Check
    * [http3] Upgrade quic-go to v0.28.0
    * [http] Start polling HTTP provider at the beginning
    * [k8s/crd,plugins] Load plugin configuration field value from Kubernetes Secret
    * [logs,tcp] Quiet down TCP RST packet error on read operation
    * [metrics] Add traffic size metrics
    * [middleware,pilot] Remove Pilot support
    * [rules,tcp] Support ALPN for TCP + TLS routers
    * [tcp,service,udp] Make the loadbalancers servers order random
    * [tls] Change default TLS options for more security
    * [tracing] Add Datadog GlobalTags support
  * Bug fixes
    * [logs,middleware] Create a new capture instance for each incoming request
    * [acme] Update go-acme/lego to v4.9.0
    * [kv,redis] Fix Redis configuration type
    * [logs,middleware,metrics] Handle capture on redefined http.responseWriters
    * [middleware,k8s] Remove raw cert escape in PassTLSClientCert middleware
    * [plugins] Update Yaegi to v0.14.3
    * Remove side effect on default transport tests
    * [acme] Fix ACME panic
    * [server] Update golang.org/x/net to latest version
    * [consulcatalog] Fix UDP loadbalancer tags not being used with Consul Catalog
    * [docker,rancher,ecs,provider] Simplify AddServer algorithm
    * [plugins] Allow empty plugin configuration
    * [rules] Fix query parameter matching with equal
    * [server] Optimize websocket headers handling
    * [plugins] Update Yaegi to v0.14.2
    * [server] Fix IPv6 addr with square brackets
    * [webui,api] Display default TLS options in the dashboard
- Update to version 2.8.4:
  * Enhancements
    * [consul,consulcatalog] Support multiple namespaces for Consul and ConsulCatalog providers
    * [logs] Add destination address to debug log
    * [middleware,provider,tls] Deprecate caOptional option in client TLS configuration
    * [middleware] Support URL replacement in errors middleware
    * [middleware] Allow config of additional CircuitBreaker params
    * [provider] Implement Traefik provider for Nomad orchestrator
    * [server] Allow HTTP/2 max concurrent stream configuration
    * [tls,k8s/crd] Support certificates configuration in TLSStore CRD
    * [webui,pilot,hub] Add Traefik Hub button and deprecate Pilot
    * [webui,plugins] Reach the catalog of plugins from the Traefik dashboard
  * Bug fixes
    * [docker,docker/swarm] Fix Docker provider mem leak on operation retries
    * [middleware] Fix retry middleware on panic
    * [plugins] Allow Traefik starting even if plugin service is unavailable
    * [marathon] Add missing context in backoff for Marathon
    * [k8s/ingress,k8s] Place namespace before name in router key for Ingress
    * [logs,middleware,tracing] Remove request dump from IPWhitelist debug log and tracing message
    * [metrics] Control allocation and copy of labelNamesValues type
    * [metrics] Fix service up gauge for Prometheus metrics
    * [yaml] Add missing inline tag for YAML serialization
    * [middleware,metrics] Improve performances when Prometheus metrics are enabled
    * [middleware] Support forwarded websocket protocol in RedirectScheme
    * [nomad] Use configured token in the Nomad client
    * [metrics] Ensure Datadog client is cleanly stopped
    * [healthcheck,service] Do not make multiple requests to the same URL for balancer healthcheck
    * [healthcheck,service] Add log when missing path in health check
    * [k8s/gatewayapi] Allow multiple listeners on same port in Gateway API provider
    * [middleware] RedirectScheme redirects based on X-Forwarded-Proto header
    * [rules] Fix HostRegexp and Query muxers
    * [logs] Fix invalid placeholder in log message
- Update to version 2.7.0:
  * Enhancements
    * [consulcatalog] Watch for Consul events to rebuild the dynamic configuration
    * [healthcheck] Add Failover service
    * [http3] Configure advertised port using h3 server option
    * [hub] Add Traefik Hub Integration
    * [k8s/crd,k8s] Allow empty services in Kubernetes CRD
    * [metrics] Support InfluxDB v2 metrics backend
    * [plugins] Remove Pilot token setup constraint to use plugins
    * [provider] Refactor configuration reload/throttling
    * [rules,tcp] Add HostSNIRegexp rule matcher for TCP
    * [tcp] Add muxer for TCP Routers
    * [webui,pilot] Add Traefik Hub access and remove Pilot access
    * [webui] Add a link to service on router detail view
  * Bug fixes
    * [hub] Skip Provide when TLS is nil
    * [tcp] Fix TCP-TLS/HTTPS routing precedence
    * [webui,hub] Use dedicated entrypoint for the tunnels
    * [logs,k8s/crd] Fix log statement for ExternalName misconfig
    * [tcp,service] Fix initial tcp lookup when address is not available
    * [tls] Fix panic when getting certificates with non-existing store
    * [acme] Fix RenewInterval computation in ACME provider
    * [ecs,logs] Remove duplicate error logs
    * [ecs] Filter out ECS anywhere instance IDs
    * [middleware] Re-add missing writeheader call in flush
    * [middleware] Fix bug for when custom page is large enough
    * [middleware] Fix regexp handling in redirect middleware
    * [plugins] Fix slice parsing for plugins
    * [tls] Return TLS unrecognized_name error when no certificate is available
    * [acme] Add domain to HTTP challenge errors
    * [metrics] Fix metrics bucket key high cardinality
    * [middleware,tls] Use CNAME for SNI check on host header
    * [middleware,tracing] Rename Datadog span tags
    * [tls] Apply the same approach as the rules system on the TLS configuration choice
  * Includes a update to gopkg.in/yaml.v3 v3.0.1 which fixes CVE-2022-28948 resp. boo#1248536
- Update to version 2.6.0:
  * Updated Kubernetes Gateway API provider
  * Consul Enterprise support
  * Consul Connect support
  * Inflight request middleware for TCP routers
  * HTTP/3 support (experimental)
  * Added support for loading plugins directly from the filesystem (Local Plugins)
  * Added ability to create Provider Plugins
  * Added TCP Middleware
  * Kubernetes 1.22 API changes
   * Dropped support for Ingress API versions extensions/v1beta1
   * Updated Traefik Proxy CRDs to use API apiextensions.k8s.io/v1
- Update to version 2.4.12:
  * Get Kubernetes server version early
  * Don't remove ingress config on API call failure
  * Ratelimiter: use correct ttlSeconds value, and always call Set
  * Check if defaultcertificate is defined in store
  * Disable ExternalName Services by default on Kubernetes providers
  * Fix: malformed Kubernetes resource names and references in tests
  * Disable Cross-Namespace by default for IngressRoute provider
  * Accesslog: support multiple values for a given header
  * Ignore http 1.0 request host missing errors
  * Headers Middleware: support http.CloseNotifier interface
  * Detect certificates content modifications
  * Update go-acme/lego to v4.4.0
  * Fix: ACME preferred chain.
  * Remove error when HTTProutes is empty
  * Fix incorrect behaviour with multi-port endpoint subsets
  * Kubernetes ingress provider to search via all endpoints
  * Fix plugin unzip call on windows
  * Update Yaegi to v0.9.17
  * Bump paerser to v0.1.4
  * Create buffered signals channel
  * Fix: use defaultEntryPoints when no entryPoint is defined in a TCPRouter
  * Use a dynamic buffer to handle client Hello SNI detection
  * Error span on 5xx only
- Allow to override build date with SOURCE_DATE_EPOCH
  in order to make builds reproducible (boo#1047218)
- Update to version 2.4.8:
  * Prepare release v2.4.8
  * Raise errors for non-ASCII domain names in a router's rules
  * Adding an option to (de)activate Pilot integration into the Traefik dashboard
  * Doc: improve basic auth middleware httpasswd example
  * Add missing `traefik.` prefix across sample config
  * Fix travis docker image pulling for docs
  * updating docs to remove a no longer needed note
  * Update to gateway-api v0.2.0
  * server: updating go-proxyproto with security bugfix from upstream
  * Update go-acme/lego to v4.3.1
- Initial package release to version 1.7.7:
 * Check for watched namespace before getting kubernetes objects
 * Allow empty path with App-root annotation
 * kubernetes: sort and uniq TLS secrets
 * Skip TLS section with no secret in Kubernetes ingress

OBS-URL: https://build.opensuse.org/request/show/1302155
OBS-URL: https://build.opensuse.org/package/show/devel:kubic/traefik?expand=0&rev=89
 2025-09-01 07:53:51 +00:00
Dominique Leuenberger
e0769b5f8c Accepting request 1297689 from devel:kubic 
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1297689
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/traefik?expand=0&rev=39
 2025-08-06 12:33:00 +00:00
Johannes Weberhofer
46cabe79b2 - Version 3.5.0 
- Synchronized changelog with boo tickets and cve entries

OBS-URL: https://build.opensuse.org/package/show/devel:kubic/traefik?expand=0&rev=87
 2025-07-29 12:56:05 +00:00
Dominique Leuenberger
95b7e89f2e Accepting request 1295688 from devel:kubic 
OBS-URL: https://build.opensuse.org/request/show/1295688
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/traefik?expand=0&rev=38
 2025-07-27 14:26:24 +00:00
Alexandre Vicenzi
2245e528ca - Version 3.4.5 
* logs
    - Redact logged install configuration (gh#traefik/traefik#11907 by jspdown)
  * plugins
    - Fix client arbitrary file access during archive extraction zipslip
      (gh#traefik/traefik#11911 by odaysec)
  * server
    - Disable MPTCP by default (gh#traefik/traefik#11918 by rtribotte)
  * http3
    - Bump github.com/quic-go/quic-go to v0.54.0 (gh#traefik/traefik#11919 by GreyXor)

OBS-URL: https://build.opensuse.org/package/show/devel:kubic/traefik?expand=0&rev=85
 2025-07-25 07:05:19 +00:00
Ana Guerrero
53beb0b377 Accepting request 1295213 from devel:kubic 
OBS-URL: https://build.opensuse.org/request/show/1295213
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/traefik?expand=0&rev=37
 2025-07-23 14:35:18 +00:00
Alexandre Vicenzi
950ce0ffa1 - Fixed boo#1246094 bad logrotate configuration allows potential escalation 
from traefik to root
- Disabled MPTCP which caused issues (see gh#traefik/traefik#11869
- Version 3.4.4
  - k8s/gatewayapi
    * Respect service.nativelb=false annotation when nativeLBByDefault is
      enabled (gh#traefik/traefik#11847 by sdelicata)
  - service
    * Fix concurrent access to balancer status map in WRR and P2C 
      strategies (gh#traefik/traefik#11887 by kevinpollet)

OBS-URL: https://build.opensuse.org/package/show/devel:kubic/traefik?expand=0&rev=83
 2025-07-23 06:55:06 +00:00
Ana Guerrero
73fdc83483 Accepting request 1288772 from devel:kubic 
OBS-URL: https://build.opensuse.org/request/show/1288772
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/traefik?expand=0&rev=36
 2025-06-27 21:01:53 +00:00
Johannes Weberhofer
9daacc0b1f - Version 3.4.3 
- http3
    * Bump quic-go to v.0.49.0
  - middleware
    * Do not log redis sentinel username and password

OBS-URL: https://build.opensuse.org/package/show/devel:kubic/traefik?expand=0&rev=81
 2025-06-27 05:48:38 +00:00
Ana Guerrero
8a46914a98 Accepting request 1287252 from devel:kubic 
OBS-URL: https://build.opensuse.org/request/show/1287252
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/traefik?expand=0&rev=35
 2025-06-23 12:57:23 +00:00
Johannes Weberhofer
74f878325f - Improved logging 
- Added logrotate configuration
- Allow reloading the traefik-service via systemctl

OBS-URL: https://build.opensuse.org/package/show/devel:kubic/traefik?expand=0&rev=79
 2025-06-20 13:12:38 +00:00
Ana Guerrero
6659e7da2d Accepting request 1283679 from devel:kubic 
OBS-URL: https://build.opensuse.org/request/show/1283679
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/traefik?expand=0&rev=34
 2025-06-06 20:44:56 +00:00
Johannes Weberhofer
9d4141c4e3 - Removed manual download service and manual checksum verification 
OBS-URL: https://build.opensuse.org/package/show/devel:kubic/traefik?expand=0&rev=77
 2025-06-06 13:47:46 +00:00
Johannes Weberhofer
b319fcdee9 Version 3.4.1 
OBS-URL: https://build.opensuse.org/package/show/devel:kubic/traefik?expand=0&rev=76
 2025-06-06 12:28:23 +00:00
Eric Torres
4196022c9f Update to version 3.4.0 
OBS-URL: https://build.opensuse.org/package/show/devel:kubic/traefik?expand=0&rev=75
 2025-05-26 00:44:00 +00:00
Ana Guerrero
5a9c82bf37 Accepting request 1271294 from devel:kubic 
OBS-URL: https://build.opensuse.org/request/show/1271294
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/traefik?expand=0&rev=33
 2025-04-22 15:29:48 +00:00
Alexandre Vicenzi
48b49124bb Update to version 3.3.6 
OBS-URL: https://build.opensuse.org/package/show/devel:kubic/traefik?expand=0&rev=73
 2025-04-22 07:39:15 +00:00
Ana Guerrero
0eacd3d815 Accepting request 1267103 from devel:kubic 
OBS-URL: https://build.opensuse.org/request/show/1267103
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/traefik?expand=0&rev=32
 2025-04-04 16:09:39 +00:00
Johannes Weberhofer
debb4fa066 - Change traefik user's home directory to /var/lib/traefik. This 
will allow traefik to store data for plugins from https://plugins.traefik.io/plugins
  without permission issues

  This change will reflect on existing installations automatically

OBS-URL: https://build.opensuse.org/package/show/devel:kubic/traefik?expand=0&rev=71
 2025-04-04 10:29:47 +00:00
Ana Guerrero
a627deadbf Accepting request 1251678 from devel:kubic 
OBS-URL: https://build.opensuse.org/request/show/1251678
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/traefik?expand=0&rev=31
 2025-03-10 18:07:23 +00:00
Johannes Weberhofer
a8ec124b06 Update to version 3.3.4 from 3.3.2 
OBS-URL: https://build.opensuse.org/package/show/devel:kubic/traefik?expand=0&rev=69
 2025-03-10 08:52:07 +00:00
Ana Guerrero
3b93e86995 Accepting request 1240748 from devel:kubic 
OBS-URL: https://build.opensuse.org/request/show/1240748
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/traefik?expand=0&rev=30
 2025-01-28 13:59:44 +00:00
Johannes Weberhofer
4474ce9d94 - Fix possible privilege escalation when mofing the acme.json file to the new 
location. Thanks Johannes Segitz (fix for boo#1235408)
- Version 3.3.2
  - fastproxy
    * Do not read response body for HEAD requests (gh#traefik/traefik#11442)
  - metrics,tracing,accesslogs
    * Fix observability configuration on EntryPoints (gh#traefik/traefik#11446)
  - webui
    * Set content-type when serving webui index  (gh#traefik/traefik#11428)

OBS-URL: https://build.opensuse.org/package/show/devel:kubic/traefik?expand=0&rev=67
 2025-01-28 10:03:32 +00:00
Ana Guerrero
d590ae4897 Accepting request 1238016 from devel:kubic 
OBS-URL: https://build.opensuse.org/request/show/1238016
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/traefik?expand=0&rev=29
 2025-01-15 16:45:15 +00:00
Johannes Weberhofer
b4c77000da - Version 3.3.1 changes 
- acme
    * Add options to control ACME propagation checks (#11241 by ldez)
  - api
    * Add support dump API endpoint (#11328 by mmatur)
  - http
    * Set Host header in HTTP provider request (#11237 by nikonhub)
  - k8s/crd, k8s
    * Make the IngressRoute kind optional (#11177 by skirtan1)
  - k8s/ingress, sticky-session, k8s/crd,k8s
    * Support serving endpoints (#11121 by BZValoche)
    * Fix fenced server status computation (#11361 by kevinpollet)
  - logs, accesslogs
    * OpenTelemetry Logs and Access Logs (#11319 by rtribotte)
    * Add experimental flag for OTLP logs integration (#11335 by kevinpollet)
  - metrics, tracing, accesslogs
    * Manage observability at entrypoint and router level (#11308 by rtribotte)
  - middleware, authentication
    * Add an option to preserve the ForwardAuth Server Location header (#11318 by Nelwhix)
    * Only calculate basic auth hashes once for concurrent requests (#11143 by michelheusschen)
    * Send request body to authorization server for forward auth (#11097 by kyo-ke)
  - plugins
    * Add AbortOnPluginFailure option to abort startup on plugin load failure (#11228 by bmagic)
  - sticky-session
    * Configurable path for sticky cookies (#11165 by IIpragmaII)
  - webui, api
    * Configurable API & Dashboard base path (#11250 by rtribotte)

OBS-URL: https://build.opensuse.org/package/show/devel:kubic/traefik?expand=0&rev=65
 2025-01-15 09:48:21 +00:00
Ana Guerrero
63b878ac7d Accepting request 1235812 from devel:kubic 
OBS-URL: https://build.opensuse.org/request/show/1235812
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/traefik?expand=0&rev=28
 2025-01-09 14:07:48 +00:00
Johannes Weberhofer
5aa5dbc3aa - Version 3.2.5 
- websocket,server 
    * Disable http2 connect setting for websocket by default 
      (gh#traefik/traefik#11412)

OBS-URL: https://build.opensuse.org/package/show/devel:kubic/traefik?expand=0&rev=63
 2025-01-08 08:20:06 +00:00
Ana Guerrero
9aa189297a Accepting request 1235216 from devel:kubic 
OBS-URL: https://build.opensuse.org/request/show/1235216
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/traefik?expand=0&rev=27
 2025-01-07 19:52:21 +00:00
Johannes Weberhofer
50a718003a - Version 3.2.4 
- acme
    * Update go-acme/lego to v4.21.0 (gh#traefik/traefik#11368)
  - k8s/gatewayapi
    * Support empty value for core Kubernetes API group (gh#traefik/traefik#11386)
  - middleware
    * Fix typo in basicauth note (gh#traefik/traefik#11397)
  - service
    * Configure ErrorLog in httputil.ReverseProxy (gh#traefik/traefik#11344)
  - tls
    * Upgrade github.com/spiffe/go-spiffe/v2 to v2.4.0 (gh#traefik/traefik#11385)
  Bump golang.org/x/net to v0.33.0 (gh#traefik/traefik#11365)
  Remove duplicate github.com/coreos/go-systemd dependency (gh#traefik/traefik#11354)

OBS-URL: https://build.opensuse.org/package/show/devel:kubic/traefik?expand=0&rev=61
 2025-01-06 14:50:50 +00:00
Ana Guerrero
5ed183154d Accepting request 1231516 from devel:kubic 
OBS-URL: https://build.opensuse.org/request/show/1231516
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/traefik?expand=0&rev=26
 2024-12-16 18:18:15 +00:00
Johannes Weberhofer
11ca6c9721 Accepting request 1231513 from home:weberho:branches:devel:kubic 
- Version 3.2.3 
  - acme
    * Update go-acme/lego to v4.20.4 (gh#traefik/traefik#11295)
  - http3
    * Update github.com/quic-go/quic-go to v0.48.2 (gh#traefik/traefik#11320)
  - docker,docker/swarm
    * Rename traefik.docker.* labels for Docker Swarm to traefik.swarm.* (gh#traefik/traefik#11247)
  - plugins
    * Fix WASM settings (gh#traefik/traefik#11321)
  - rules
    * Fix models mechanism for default rule syntax (gh#traefik/traefik#11300)
  - server
    * Update golang.org/x dependencies (gh#traefik/traefik#11336, CVE-2024-45337, boo#1234502)

OBS-URL: https://build.opensuse.org/request/show/1231513
OBS-URL: https://build.opensuse.org/package/show/devel:kubic/traefik?expand=0&rev=59
 2024-12-16 13:52:10 +00:00
Ana Guerrero
95ce44eb6f Accepting request 1225803 from devel:kubic 
OBS-URL: https://build.opensuse.org/request/show/1225803
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/traefik?expand=0&rev=25
 2024-11-22 22:53:00 +00:00
Johannes Weberhofer
a9c701c51d - golang-jwt has been updated to version 4.5.1 to fix CVE-2024-51744 and boo#1232940 
- Version 3.2.1 changes
  - acme
    * Update go-acme/lego to v4.20.2 (gh#traefik/traefik#11263 by ldez)
  - logs
    * Change level of peeking first byte error log to DEBUG for Postgres 
      (gh#traefik/traefik#11270 by rtribotte)
  - k8s/ingress,k8s
    * Fix HostRegexp config for rule syntax v2 (gh#traefik/traefik#11288 by kevinpollet)
  - logs Change level of peeking first byte error log to DEBUG for Postgres
    (gh#traefik/traefik#11270 by rtribotte, gh#traefik/traefik#11254 by rtribotte)
  - service
    * Fix internal handlers ServiceBuilder composition (gh#traefik/traefik#11281 by juliens)
  - service,fastproxy Fix case problem for websocket upgrade
    (gh#traefik/traefik#11246 by juliens)
  - server
    * Change level of peeking first byte error log to DEBUG (gh#traefik/traefik#11254 by rtribotte)
    * Apply keepalive config to h2c entrypoints (gh#traefik/traefik#11276 by davefu113)
  - middleware,server
    * Drop untrusted X-Forwarded-Prefix header (gh#traefik/traefik#11253 by rtribotte)

OBS-URL: https://build.opensuse.org/package/show/devel:kubic/traefik?expand=0&rev=57
 2024-11-22 11:36:34 +00:00
Dominique Leuenberger
d8887da1c7 Accepting request 1219806 from devel:kubic 
- Update from 3.1.6 to 3.2.0
- Important: please read the migration guide when migrating to version 3.2.0
- Version 3.2.0 changes
  - acme
      * Remove same email requirement for certresolvers (#11019 by Emrio)
      * Add support for custom CA certificates by certificate resolver (#10816 by ldez)
      * Add 30 day certificatesDuration step (#10970 by luker983)
  - docker
      * Support HTTP BasicAuth for docker and swarm endpoint (#10776 by 985492783)
  - k8s, k8s/gatewayapi
      * Add supported features to the Gateway API GatewayClass status (#11056 by rtribotte)
      * Update sigs.k8s.io/gateway-api to v1.2.0-rc1 (#11124 by rtribotte)
      * Add support for backend protocol selection in HTTP and GRPC routes (#11051 by rtribotte)
      * Improve Kubernetes GatewayAPI TCPRoute and TLSRoute support (#11042 by rtribotte)
      * Support HTTPRoute destination port matching (#11134 by kevinpollet)
      * Bump sigs.k8s.io/gateway-api to v1.2.0-rc2 (#11131 by kevinpollet)
      * Add support for Gateway API BackendTLSPolicies (#11009 by rtribotte)
      * Support NativeLB option in GatewayAPI provider (#11147 by rtribotte)
      * Support ResponseHeaderModifier filter (#10987 by kevinpollet)
      * Support GRPC routes (#10975 by kevinpollet)
      * Bump sigs.k8s.io/gateway-api to v1.2.0 (#11167 by rtribotte)
      * Ensuring Gateway API reflected Traefik resource name unicity (#11222 by rtribotte)
      * Preserve GRPCRoute filters order (#11199 by kevinpollet)
      * Support http and https appProtocol for Kubernetes Service (#11176 by WillDaSilva)
      * Avoid updating Accepted status for routes matching no Gateways (#11170 by rtribotte)
      * Do not update gateway status when not selected by a gateway class (#11169 by kevinpollet)
      * Document nativeLBByDefault annotation on Kubernetes Gateway provider (#11209 by mloiseleur)
  - k8s/crd, k8s
      * Detail CRD update with v3.2 in the migration guide (#11164 by mloiseleur)
  - k8s/gatewayapi
      * Add missing RBAC in the migration guide (#11189 by mloiseleur)
  - k8s
      * Fix instructions for downloading CRDs of Gateway API v1.2 (#11191 by mloiseleur)
  - metrics, otel
      * Allow setting service.name for OTLP metrics (#10917 by cmartell-at-ocp)
  - middleware
      * Record trace id and EntryPoint span id into access log (#10921 by weijiany)
      * Support LogUserHeader with forwardAuth middleware (#10833 by GaleHuang)
      * Add encodings option to the compression middleware (#10943 by wollomatic)
      * Add support for ipv6 subnet in ipStrategy (#9747 by michal-kralik)
  - nomad
      * Support for watching instead of polling Nomad (#10997 by deverton-godaddy)
  - server
      * Introduce a fast proxy mode to improve HTTP/1.1 performances with backends (#11122 by kevinpollet)
      * Configurable max request header size (#10995 by lucasrod16)
  - service
      * Add mirrorBody option to HTTP mirroring (#11032 by MatteoPaier)
      * Add an option to preserve server path (#11192 by mmatur)
      * Detect and drop broken conns in the fastproxy pool (#11212 by kevinpollet)
  - Merge branch v3.1 into v3.2 (#11219 by kevinpollet)
  - Merge branch v3.1 into master (#11153 by kevinpollet)
- Version 3.1.7 changes
  - k8s
    * Preserve HTTPRoute filters order (#11198 by kevinpollet)
  - Merge branch v2.11 into v3.1

OBS-URL: https://build.opensuse.org/request/show/1219806
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/traefik?expand=0&rev=24
 2024-10-31 15:10:08 +00:00
Johannes Weberhofer
0a60eaddcd Update from 3.1.6 to 3.2.0 
OBS-URL: https://build.opensuse.org/package/show/devel:kubic/traefik?expand=0&rev=55
 2024-10-31 08:36:11 +00:00
Ana Guerrero
58704b0808 Accepting request 1208279 from devel:kubic 
OBS-URL: https://build.opensuse.org/request/show/1208279
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/traefik?expand=0&rev=23
 2024-10-16 21:48:11 +00:00
Alexandre Vicenzi
f195877329 Update from 3.1.4 to 3.1.6, changes for 3.1.5. and 3.1.6 
OBS-URL: https://build.opensuse.org/package/show/devel:kubic/traefik?expand=0&rev=53
 2024-10-16 07:04:50 +00:00
Ana Guerrero
febe664297 Accepting request 1202895 from devel:kubic 
OBS-URL: https://build.opensuse.org/request/show/1202895
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/traefik?expand=0&rev=22
 2024-09-24 15:34:36 +00:00
Alexandre Vicenzi
41a9bee7a4 Update to version 3.1.4, fix CVE-2024-45410, update specfile ldflags 
OBS-URL: https://build.opensuse.org/package/show/devel:kubic/traefik?expand=0&rev=51
 2024-09-24 10:23:23 +00:00
Ana Guerrero
52bb3c603c Accepting request 1200844 from devel:kubic 
OBS-URL: https://build.opensuse.org/request/show/1200844
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/traefik?expand=0&rev=21
 2024-09-18 13:26:56 +00:00
Johannes Weberhofer
5ec7c3afa7 - Moved /etc/traefik/acme.json to /var/lib/traefik/acme.json to allow traefik 
running with "ProtectSystem=full" write access to the certificate store.
  The acme.json file will be automatically moved and the configuration will be
  updated accordingly.
- Added /usr/lib/sysctl.d/90-itraefik.conf to increase UDP Buffer sizes as explained
   at https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes

OBS-URL: https://build.opensuse.org/package/show/devel:kubic/traefik?expand=0&rev=49
 2024-09-13 13:00:38 +00:00
11 changed files with 582 additions and 22 deletions
Expand all files Collapse all files

9
90-traefik.conf Normal file
View File

@@ -0,0 +1,9 @@
#
# Increase the maximum UDP Buffer size to prevent dropping
# incoming packaets by the kernel
#
# https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes
#
net.core.rmem_max=7500000
net.core.wmem_max=7500000

3
_service
View File

@@ -1,6 +1,5 @@
<services>
<service name="download_files" mode="manual">
</service>
<service name="download_files" mode="manual" />
<service name="go_modules" mode="manual">
<param name="archive">traefik*.src.tar.gz</param>
<param name="basename">./</param>

2
traefik-user.conf
View File

@@ -1,3 +1,3 @@
#Type Name ID GECOS Home directory Shell
u traefik - "HTTP reverse proxy and load balancer" /etc/traefik -
u traefik - "HTTP reverse proxy and load balancer" /var/lib/traefik -
m traefik traefik

3
traefik-v3.1.2.src.tar.gz
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d8cada1d42e2fad4cbe15b75e8db21647b520ffd49dd09814cc1131c3fe02d00
size 11491439

3
traefik-v3.5.1.src.tar.gz Normal file
View File

@@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:fc5cb4b50877c13ab4a120bbffb0dfd9edd0ec6b15a6901579db2701dec05c5f
size 14111527

495
traefik.changes
View File

@@ -1,3 +1,494 @@
-------------------------------------------------------------------
Fri Aug 29 14:44:19 UTC 2025 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Removed old update scripts which fixes boo#1245204 for traefik reloease v3.
- Version 3.5.1
Bug fixes:
* accesslogs,otel
- Provide Log Body in OTEL access Log
* acme
- Bump github.com/go-acme/lego/v4 to v4.25.2
* k8s/gatewayapi
- Make app protocol case insensitive
* otel
- Fix misspelling in docs
* server
- Bump to github.com/pires/go-proxyproto v0.8.1
- Silent expected errors on receiving sigterm signal
* tracing
- Fix capturedRequestHeaders and capturedResponseHeaders headers
options not being canonicalized in tracing
- Follow OTel semantic conventions for root span naming
* webui
- Update Traefik Proxy dashboard UI development deps
* docker
- Bump github.com/docker/docker to v28.3.3 (#12007 by kevinpollet)
* Refactor to use reflect.TypeFor
-------------------------------------------------------------------
Tue Jul 29 10:00:18 UTC 2025 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Version 3.5.0
Please read the migration guide:
https://doc.traefik.io/traefik/migration/v3/#v350
Enhancements:
* acme
- Add acme.httpChallenge.delay option
- Allow configuration of ACME provider http timeout
- OCSP stapling
* healthcheck
- Add unhealthy Interval to the health check configuration
- Add url option to healthcheck command
* k8s/gatewayapi
- Bump sigs.k8s.io/gateway-api to v1.3.0
* k8s/ingress
- Make the behavior of prefix matching in Ingress consistent with
Kubernetes doc
* k8s
- NGINX Ingress Provider
* middleware,authentication
- Handle context canceled in ForwardAuth middleware
* plugins
- Ability to enable unsafe in yaegi through plugin manifest
* tls
- Introduce X25519MLKEM768 for Post-Quantum-Secure TLS
* webui
- Improve visualization for StatusRewrites option of errors middleware
- Migrate Traefik Proxy dashboard UI to React
Bug fixes:
* healthcheck
- Revert 11711 adding url param to healthcheck command
* logs,metrics,tracing,accesslogs,otel
- Add missing resource attributes detectors
* logs,tracing,k8s,otel
- Add k8s resource attributes automatically
* metrics,otel
- Add resourceAttributes option to OTel metrics
* middleware,tracing
- Introduce trace verbosity config and produce less spans by default
- Synchronized changelog with boo tickets and cve entries
-------------------------------------------------------------------
Fri Jul 25 05:48:31 UTC 2025 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Version 3.4.5
* logs
- Redact logged install configuration (gh#traefik/traefik#11907 by jspdown)
* plugins
- Fix client arbitrary file access during archive extraction zipslip
(gh#traefik/traefik#11911 by odaysec)
* server
- Disable MPTCP by default (gh#traefik/traefik#11918 by rtribotte)
* http3
- Bump github.com/quic-go/quic-go to v0.54.0 (gh#traefik/traefik#11919 by GreyXor)
-------------------------------------------------------------------
Tue Jul 22 13:38:51 UTC 2025 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Fixed boo#1246094 bad logrotate configuration allows potential escalation
from traefik to root
- Disabled MPTCP which caused issues (see gh#traefik/traefik#11869
- Version 3.4.4
- k8s/gatewayapi
* Respect service.nativelb=false annotation when nativeLBByDefault is
enabled (gh#traefik/traefik#11847 by sdelicata)
- service
* Fix concurrent access to balancer status map in WRR and P2C
strategies (gh#traefik/traefik#11887 by kevinpollet)
-------------------------------------------------------------------
Thu Jun 26 15:05:31 UTC 2025 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Version 3.4.3
- http3
* Bump quic-go to v.0.49.0
- middleware
* Do not log redis sentinel username and password
-------------------------------------------------------------------
Fri Jun 6 15:50:50 UTC 2025 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Improved logging
- Added logrotate configuration
- Allow reloading the traefik-service via systemctl
-------------------------------------------------------------------
Fri Jun 6 13:26:41 UTC 2025 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Removed manual download service and manual checksum verification
-------------------------------------------------------------------
Fri Jun 6 08:48:27 UTC 2025 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Version 3.4.1
- fix for CVE-2025-47952 boo#1243818
- docker
* Do not warn network missing if connected to a container network
(#11698 by holysoles)
- k8s/crd
* Fix CEL validation for RootCA in ServersTransport (#11775 by rtribotte)
- middleware
* Scope the rate limit counter key by source and by middleware
(#11753 by aromeyer)
- server
* Use routing path in v3 matchers (#11790 by kevinpollet)
- service
* Make P2C strategy thread-safe (#11762 by lbenguigui)
- webui
* Do not display RemoveHeader option when not defined (#11782 by kevinpollet)
-------------------------------------------------------------------
Tue May 13 04:44:40 UTC 2025 - Eric Torres <eric.torres@its-et.me>
- Important: please read the migration guide in regards to v3.4.0 changes
- Version 3.4.0 changes
- acme
* Add acme.profile and acme.emailAddresses options (#11597 by ldez)
- docker,ecs,docker/swarm,consulcatalog,nomad
* Allow configuring server URLs with label providers (#11374 by yelvert)
- k8s/crd
* Improve CEL validation on Ingress CRD resources (#11311 by mloiseleur)
* Remove default load-balancing strategy from CRD (#11701 by kevinpollet)
* Restrict regex validation of HTTP status codes for Ingress CRD resources (#11670 by jnoordsij)
- k8s/gatewayapi
* Set rule priority in Gateway API TLSRoute (#11443 by augustozanellato)
- k8s/ingress
* Add ingress status for ClusterIP and NodePort Service Type (#11100 by mlec1)
- middleware,authentication
* Add option to preserve request method in forwardAuth (#11473 by an09mous)
- middleware
* Support rewriting status codes in error page middleware (#11520 by sevensolutions)
* Add Redis rate limiter (#10211 by longquan0104)
- service
* Add p2c load-balancing strategy for servers load-balancer (#11547 by rtribotte)
- sticky-session
* Support domain configuration for sticky cookies (#11556 by jleal52)
- tls,k8s/crd,service
* Allow root CA to be added through config maps (#11475 by Nelwhix)
- tls
* Add support to disable session ticket (#11609 by avdhoot)
- udp
* Add support for UDP routing in systemd socket activation (#11022 by tsiid)
- webui
* Add auto webui theme option and default to it (#11455 by zizzfizzix)
- Replace experimental maps and slices with stdlib (#11350 by Juneezee)
- Bump github.com/redis/go-redis/v9 to v9.7.3 (#11687 by kevinpollet)
-------------------------------------------------------------------
Sat Apr 19 22:05:31 UTC 2025 - Eric Torres <eric.torres@its-et.me>
- Important: Please read the migration guide in regards to v3.3.6 changes
- Version 3.3.6 changes
* The incoming request path is now cleaned before being used to
match the router rules and sent to the backends. Any /../, /./ or duplicate
slash segments in the request path is interpreted and/or collapsed.
* Bump golang.org/x/net to v0.38.0
Fix for boo#1241731 and boo#1241733: CVE-2025-22872
- Bump golang.org/x/oauth2 to v0.28.0
Fix for boo#1239228 CVE-2025-22868
-------------------------------------------------------------------
Sat Apr 19 22:04:38 UTC 2025 - Eric Torres <eric.torres@its-et.me>
- Please read the migration guide in regards to v3.3.5 changes
- Version 3.3.5 changes
- k8s/gatewayapi
* Set scheme to https with BackendTLSPolicy (#11586 by rtribotte)
- middleware
* Revert compress middleware algorithms priority to v2 behavior (#11641 by rtribotte)
* Do not abort request when response content-type is malformed (#11628 by kevinpollet)
* Compress data on flush when compression is not started (#11583 by kevinpollet)
* Updates
- Bump github.com/go-jose/go-jose/v4 to v4.0.5
fix boo#1237621 CVE-2025-27144
- Bump github.com/golang-jwt/jwt to v4.5.2 and v5.2.2
fix boo#1240454 CVE-2025-30204
- Bump x/crypto to v0.35.0
fix for boo#1239383 CVE-2025-22869, boo#1239363 CVE-2025-22869
-------------------------------------------------------------------
Mon Mar 31 00:02:54 UTC 2025 - Eric Torres <eric.torres@its-et.me>
- Change traefik user's home directory to /var/lib/traefik. This
will allow traefik to store data for plugins from https://plugins.traefik.io/plugins
without permission issues
This change will reflect on existing installations automatically
-------------------------------------------------------------------
Mon Mar 10 00:27:19 UTC 2025 - Eric Torres <eric.torres@its-et.me>
- Version 3.3.4 changes
- fastproxy
* Bump github.com/valyala/fasthttp to v1.58.0 (#11526 by kevinpollet)
* Add WebSocket headers if they are present in the request (#11522 by kevinpollet)
* Chunked responses does not have a Content-Length header (#11514 by kevinpollet)
- metrics, otel
* Change request duration metric unit from millisecond to second (#11523 by rtribotte)
- sticky-session
* Fix double hash in sticky cookie (#11518 by juliens)
- tracing
* Use ResourceAttributes instead of GlobalAttributes (#11515 by bruno-de-queiroz)
* Fix panic when calling Tracer (#11479 by basgys)
- Upgrade fixed boo#1235167
- Package mentioned in boo#1235270 CVE-2024-45338 has been upgraded
-------------------------------------------------------------------
Mon Mar 10 00:25:30 UTC 2025 - Eric Torres <eric.torres@its-et.me>
- Version 3.3.3 changes
- api
* Do not create observability model by default (#11476 by rtribotte)
- fastproxy
* Fix content-length header assertion (#11498 by kevinpollet)
* Handle responses without content length header (#11458 by rtribotte)
- k8s/crd, k8s
* Add missing headerField in Middleware CRD (#11499 by jspdown)
- tracing, accesslogs
* Bring back TraceID and SpanID fields in access logs (#11450 by rtribotte)
-------------------------------------------------------------------
Tue Jan 21 13:30:26 UTC 2025 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Fix possible privilege escalation when mofing the acme.json file to the new
location. Thanks Johannes Segitz (fix for boo#1235408)
- Version 3.3.2
- fastproxy
* Do not read response body for HEAD requests (gh#traefik/traefik#11442)
- metrics,tracing,accesslogs
* Fix observability configuration on EntryPoints (gh#traefik/traefik#11446)
- webui
* Set content-type when serving webui index (gh#traefik/traefik#11428)
-------------------------------------------------------------------
Sun Jan 12 16:50:31 UTC 2025 - Eric Torres <eric.torres@its-et.me>
- Version 3.3.1 changes
- acme
* Add options to control ACME propagation checks (#11241 by ldez)
- api
* Add support dump API endpoint (#11328 by mmatur)
- http
* Set Host header in HTTP provider request (#11237 by nikonhub)
- k8s/crd, k8s
* Make the IngressRoute kind optional (#11177 by skirtan1)
- k8s/ingress, sticky-session, k8s/crd,k8s
* Support serving endpoints (#11121 by BZValoche)
* Fix fenced server status computation (#11361 by kevinpollet)
- logs, accesslogs
* OpenTelemetry Logs and Access Logs (#11319 by rtribotte)
* Add experimental flag for OTLP logs integration (#11335 by kevinpollet)
- metrics, tracing, accesslogs
* Manage observability at entrypoint and router level (#11308 by rtribotte)
- middleware, authentication
* Add an option to preserve the ForwardAuth Server Location header (#11318 by Nelwhix)
* Only calculate basic auth hashes once for concurrent requests (#11143 by michelheusschen)
* Send request body to authorization server for forward auth (#11097 by kyo-ke)
- plugins
* Add AbortOnPluginFailure option to abort startup on plugin load failure (#11228 by bmagic)
- sticky-session
* Configurable path for sticky cookies (#11165 by IIpragmaII)
- webui, api
* Configurable API & Dashboard base path (#11250 by rtribotte)
-------------------------------------------------------------------
Tue Jan 7 15:47:17 UTC 2025 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Version 3.2.5
- websocket,server
* Disable http2 connect setting for websocket by default
(gh#traefik/traefik#11412)
-------------------------------------------------------------------
Mon Jan 6 12:57:27 UTC 2025 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Version 3.2.4
- acme
* Update go-acme/lego to v4.21.0 (gh#traefik/traefik#11368)
- k8s/gatewayapi
* Support empty value for core Kubernetes API group (gh#traefik/traefik#11386)
- middleware
* Fix typo in basicauth note (gh#traefik/traefik#11397)
- service
* Configure ErrorLog in httputil.ReverseProxy (gh#traefik/traefik#11344)
- tls
* Upgrade github.com/spiffe/go-spiffe/v2 to v2.4.0 (gh#traefik/traefik#11385)
- Remove duplicate github.com/coreos/go-systemd dependency (gh#traefik/traefik#11354)
- Bump golang.org/x/net to v0.33.0 (gh#traefik/traefik#11365)
mentioned in boo#1235256 CVE-2024-45338
-------------------------------------------------------------------
Mon Dec 16 13:27:07 UTC 2024 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Version 3.2.3
- Fix for boo#1234513 CVE-2024-4533
- acme
* Update go-acme/lego to v4.20.4 (gh#traefik/traefik#11295)
- http3
* Update github.com/quic-go/quic-go to v0.48.2 (gh#traefik/traefik#11320)
- docker,docker/swarm
* Rename traefik.docker.* labels for Docker Swarm to traefik.swarm.* (gh#traefik/traefik#11247)
- plugins
* Fix WASM settings (gh#traefik/traefik#11321)
- rules
* Fix models mechanism for default rule syntax (gh#traefik/traefik#11300)
- server
* Update golang.org/x dependencies (gh#traefik/traefik#11336, CVE-2024-45337, boo#1234502)
-------------------------------------------------------------------
Thu Nov 21 15:19:14 UTC 2024 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- golang-jwt has been updated to version 4.5.1 to fix CVE-2024-51744 and boo#1232940
- Version 3.2.1 changes
- acme
* Update go-acme/lego to v4.20.2 (gh#traefik/traefik#11263 by ldez)
- logs
* Change level of peeking first byte error log to DEBUG for Postgres
(gh#traefik/traefik#11270 by rtribotte)
- k8s/ingress,k8s
* Fix HostRegexp config for rule syntax v2 (gh#traefik/traefik#11288 by kevinpollet)
- logs Change level of peeking first byte error log to DEBUG for Postgres
(gh#traefik/traefik#11270 by rtribotte, gh#traefik/traefik#11254 by rtribotte)
- service
* Fix internal handlers ServiceBuilder composition (gh#traefik/traefik#11281 by juliens)
- service,fastproxy Fix case problem for websocket upgrade
(gh#traefik/traefik#11246 by juliens)
- server
* Change level of peeking first byte error log to DEBUG (gh#traefik/traefik#11254 by rtribotte)
* Apply keepalive config to h2c entrypoints (gh#traefik/traefik#11276 by davefu113)
- middleware,server
* Drop untrusted X-Forwarded-Prefix header (gh#traefik/traefik#11253 by rtribotte)
-------------------------------------------------------------------
Thu Oct 31 01:26:24 UTC 2024 - Eric Torres <eric.torres@its-et.me>
- Update from 3.1.6 to 3.2.0
- Important: please read the migration guide when migrating to version 3.2.0
- Version 3.2.0 changes
- acme
* Remove same email requirement for certresolvers (#11019 by Emrio)
* Add support for custom CA certificates by certificate resolver (#10816 by ldez)
* Add 30 day certificatesDuration step (#10970 by luker983)
- docker
* Support HTTP BasicAuth for docker and swarm endpoint (#10776 by 985492783)
- k8s, k8s/gatewayapi
* Add supported features to the Gateway API GatewayClass status (#11056 by rtribotte)
* Update sigs.k8s.io/gateway-api to v1.2.0-rc1 (#11124 by rtribotte)
* Add support for backend protocol selection in HTTP and GRPC routes (#11051 by rtribotte)
* Improve Kubernetes GatewayAPI TCPRoute and TLSRoute support (#11042 by rtribotte)
* Support HTTPRoute destination port matching (#11134 by kevinpollet)
* Bump sigs.k8s.io/gateway-api to v1.2.0-rc2 (#11131 by kevinpollet)
* Add support for Gateway API BackendTLSPolicies (#11009 by rtribotte)
* Support NativeLB option in GatewayAPI provider (#11147 by rtribotte)
* Support ResponseHeaderModifier filter (#10987 by kevinpollet)
* Support GRPC routes (#10975 by kevinpollet)
* Bump sigs.k8s.io/gateway-api to v1.2.0 (#11167 by rtribotte)
* Ensuring Gateway API reflected Traefik resource name unicity (#11222 by rtribotte)
* Preserve GRPCRoute filters order (#11199 by kevinpollet)
* Support http and https appProtocol for Kubernetes Service (#11176 by WillDaSilva)
* Avoid updating Accepted status for routes matching no Gateways (#11170 by rtribotte)
* Do not update gateway status when not selected by a gateway class (#11169 by kevinpollet)
* Document nativeLBByDefault annotation on Kubernetes Gateway provider (#11209 by mloiseleur)
- k8s/crd, k8s
* Detail CRD update with v3.2 in the migration guide (#11164 by mloiseleur)
- k8s/gatewayapi
* Add missing RBAC in the migration guide (#11189 by mloiseleur)
- k8s
* Fix instructions for downloading CRDs of Gateway API v1.2 (#11191 by mloiseleur)
- metrics, otel
* Allow setting service.name for OTLP metrics (#10917 by cmartell-at-ocp)
- middleware
* Record trace id and EntryPoint span id into access log (#10921 by weijiany)
* Support LogUserHeader with forwardAuth middleware (#10833 by GaleHuang)
* Add encodings option to the compression middleware (#10943 by wollomatic)
* Add support for ipv6 subnet in ipStrategy (#9747 by michal-kralik)
- nomad
* Support for watching instead of polling Nomad (#10997 by deverton-godaddy)
- server
* Introduce a fast proxy mode to improve HTTP/1.1 performances with backends (#11122 by kevinpollet)
* Configurable max request header size (#10995 by lucasrod16)
- service
* Add mirrorBody option to HTTP mirroring (#11032 by MatteoPaier)
* Add an option to preserve server path (#11192 by mmatur)
* Detect and drop broken conns in the fastproxy pool (#11212 by kevinpollet)
- Merge branch v3.1 into v3.2 (#11219 by kevinpollet)
- Merge branch v3.1 into master (#11153 by kevinpollet)
- Version 3.1.7 changes
- k8s
* Preserve HTTPRoute filters order (#11198 by kevinpollet)
- Merge branch v2.11 into v3.1
-------------------------------------------------------------------
Wed Oct 16 03:46:25 UTC 2024 - Eric Torres <eric.torres@its-et.me>
- Update from 3.1.4 to 3.1.6
- Version 3.1.6 changes
- middleware
* Reuse compression writers (#11168 by michelheusschen)
* Use correct default weight in Accept-Encoding (#11084 by michelheusschen)
- plugins
* Close wasm middleware to prevent memory leak (#11151 by ttys3)
- Version 3.1.5 changes
- k8s, ingress
* Disable IngressClass lookup when disableClusterScopeResources is enabled (#11111 by jnoordsij)
- server
* Rework condition to not log on timeout (#11132 by rtribotte)
- Merge branch v2.11 into v3.1
-------------------------------------------------------------------
Tue Sep 24 00:25:39 UTC 2024 - Eric Torres <eric.torres@its-et.me>
- Update to version 3.1.4
- Fixes CVE-2024-45410, boo#1230842
- k8s, ingress, rules, crd
* Allow configuring rule syntax with Kubernetes Ingress annotation
* Re-allow empty configuration for Kubernetes Ingress provider
* Remove mentions about APIVersion traefik.io/v1
* Update quick-start-with-kubernetes.md to include required permissions
- middlewares, metrics
* Wrap capture for services used by pieces of middleware
* Mention missing metrics removal in the migration guide
* Guess Datadog socket type when prefix is unix
- plugins
* Removes goexport dependency and adds _initialize
- tracing
* Fix tracing documentation
* OTLP doc + potential panic
- Update ldflags to point to correct traefik version (v3 instead of v2)
-------------------------------------------------------------------
Thu Sep 12 14:50:28 UTC 2024 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Moved /etc/traefik/acme.json to /var/lib/traefik/acme.json to allow traefik
running with "ProtectSystem=full" write access to the certificate store.
The acme.json file will be automatically moved and the configuration will be
updated accordingly.
- Added /usr/lib/sysctl.d/90-itraefik.conf to increase UDP Buffer sizes as explained
at https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes
-------------------------------------------------------------------
Wed Aug 7 08:03:10 UTC 2024 - Johannes Weberhofer <jweberhofer@weberhofer.at>
@@ -165,6 +656,8 @@ Fri May 3 15:14:17 UTC 2024 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Removed traefik-fix-int-overflow-with-go-generate-10452.patch
- Update to version 2.11.2
* Fix for boo#1235167 CVE-2024-28180
* Important
* Read the migration guide at https://doc.traefik.io/traefik/migration/v2/#v2112
@@ -476,6 +969,7 @@ Tue Jun 07 08:27:42 UTC 2022 - alexandre.vicenzi@suse.com
* [middleware,tls] Use CNAME for SNI check on host header
* [middleware,tracing] Rename Datadog span tags
* [tls] Apply the same approach as the rules system on the TLS configuration choice
* Includes a update to gopkg.in/yaml.v3 v3.0.1 which fixes CVE-2022-28948 resp. boo#1248536
-------------------------------------------------------------------
Fri Feb 04 13:37:58 UTC 2022 - alexandre.vicenzi@suse.com
@@ -550,3 +1044,4 @@ Thu Jan 10 14:50:22 UTC 2019 - pgeorgiadis@suse.com
* Allow empty path with App-root annotation
* kubernetes: sort and uniq TLS secrets
* Skip TLS section with no secret in Kubernetes ingress

20
traefik.logrotate Normal file
View File

@@ -0,0 +1,20 @@
/var/log/traefik/*.log {
su traefik traefik
weekly
maxsize 32G
notifempty
missingok
rotate 128
dateext
dateformat -%Y%m%d-%H%M
compress
compresscmd xz
create 644 traefik traefik
postrotate
systemctl reload traefik.service
endscript
}

1
traefik.service
View File

@@ -9,6 +9,7 @@ AssertPathExists=/etc/traefik/traefik.yml
[Service]
Type=notify
ExecStart=/usr/bin/traefik --configFile=/etc/traefik/traefik.yml
ExecReload=kill -HUP $MAINPID ; kill -USR1 $MAINPID
User=traefik
WorkingDirectory=~
Restart=always

48
traefik.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package traefik
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2025 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -23,7 +23,7 @@
%define buildmode pie
%endif
Name: traefik
Version: 3.1.2
Version: 3.5.1
Release: 0
Summary: The Cloud Native Application Proxy
License: MIT
@@ -36,11 +36,14 @@ Source1: vendor.tar.gz
Source2: %{name}.service
Source3: %{name}.yml
Source4: %{name}-user.conf
Source5: 90-%{name}.conf
Source6: %{name}.logrotate
BuildRequires: go-bindata
BuildRequires: golang-packaging
BuildRequires: systemd-rpm-macros
BuildRequires: sysuser-tools
BuildRequires: (golang(API) >= 1.22)
Requires: logrotate
Recommends: podman
Conflicts: traefik2
Provides: group(%{name})
@@ -58,8 +61,7 @@ Etcd, Rancher, Amazon ECS) and configures itself automatically and dynamically.
Pointing Traefik at your orchestrator should be the only configuration step you need.
%prep
%setup -q -c %{name}-%{version} -b0 -a1
%autopatch -p1
%autosetup -c %{name}-%{version} -b0 -a1 -p1
%build
%sysusers_generate_pre %{SOURCE4} %{name} %{name}-user.conf
@@ -72,9 +74,9 @@ build_date=$(date -u -d @${SOURCE_DATE_EPOCH:-$(date +%%s)} +"%%Y%%m%%d")
CGO_ENABLED=1 GOGC=off go build \
-buildmode=%{buildmode} \
-mod=vendor \
-ldflags "-X github.com/traefik/traefik/v2/pkg/version.Version=%{version} \
-X github.com/traefik/traefik/v2/pkg/version.Codename='' \
-X github.com/traefik/traefik/v2/pkg/version.BuildDate=${build_date}" \
-ldflags "-X github.com/traefik/traefik/v3/pkg/version.Version=%{version} \
-X github.com/traefik/traefik/v3/pkg/version.Codename='' \
-X github.com/traefik/traefik/v3/pkg/version.BuildDate=${build_date}" \
-installsuffix nocgo \
-o traefik \
./cmd/traefik
@@ -94,17 +96,33 @@ ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/%{name}/%{name}.yml
mkdir -p %{buildroot}%{_sysconfdir}/%{name}/conf.d
# install configuration to increase UDP buffer sizes
install -D -p -m 0644 %{SOURCE5} %{buildroot}%{_prefix}/lib/sysctl.d/90-%{name}.conf
# acme storage
install -d -m 0700 %{buildroot}%{_localstatedir}/lib/%{name}
touch %{buildroot}%{_localstatedir}/lib/%{name}/acme.json
# logging
mkdir -p %{buildroot}%{_localstatedir}/log/%{name}
mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
install -m 644 %{SOURCE6} %{buildroot}/%{_sysconfdir}/logrotate.d/traefik
%pre -f %{name}.pre
%service_add_pre %{name}.service
%post
%service_add_post %{name}.service
%{fillup_only -n %{name}}
# fix ownership for config and logging directory
chown -R traefik: %{_sysconfdir}/%{name} %{_localstatedir}/log/%{name}
# update traefik user's home directory
sysuser_homedir="$(getent passwd traefik | cut -d: -f6)"
if [ "${sysuser_homedir}" != "%{_localstatedir}/lib/%{name}" ]; then
usermod --home %{_localstatedir}/lib/%{name} traefik
echo "Updated traefik home directory to %{_localstatedir}/lib/%{name}" 1>&2
fi
%preun
%service_del_preun %{name}.service
@@ -121,12 +139,20 @@ chown -R traefik: %{_sysconfdir}/%{name} %{_localstatedir}/log/%{name}
%{_unitdir}/%{name}.service
%{_sbindir}/rc%{name}
%{_prefix}/lib/sysctl.d/90-%{name}.conf
%defattr(0660, traefik, traefik, 0750)
# config files are owned by root but can be read by traefik
%defattr(0640, root, traefik, 0750)
%dir %{_sysconfdir}/%{name}
%dir %{_sysconfdir}/%{name}/conf.d
%config(noreplace) %{_sysconfdir}/%{name}/%{name}.yml
# certificates are visible for traefik only
%defattr(0600, traefik, traefik, 0700)
%dir %{_localstatedir}/lib/%{name}
%config(noreplace) %{_localstatedir}/lib/%{name}/acme.json
%dir %{_localstatedir}/log/%{name}
%config(noreplace) %{_sysconfdir}/logrotate.d/traefik
%changelog

16
traefik.yml
View File

@@ -56,6 +56,10 @@ log:
# Set traefik's log-level
# Default: ERROR
#level: DEBUG
#
# Set a filePath if you want to send traefik logs to a file instead of
# the systemd journal. Access logs are handled seperately
#filePath: /var/log/traefik/traefik.log
# ------------------------------------------------------------------------
@@ -65,9 +69,9 @@ log:
# ------------------------------------------------------------------------
#accessLog:
# ------------------------------------------------------------------------
# Set the filepath for the traefik log-file.
# Set the filepath for the access log file.
# Default: os.Stdout
#filePath: /var/log/traefik/traefik.log
#filePath: /var/log/traefik/access.log
# ------------------------------------------------------------------------
# Write logs in the 'common' or 'json' format.
# Default: common
@@ -147,7 +151,13 @@ providers:
# letsencryptResolver:
# acme:
# email: your@email
# storage: /etc/traefik/acme.json
# storage: /var/lib/traefik/acme.json
# httpChallenge:
# entryPoint: web
# acmeDnsResolver:
# acme:
# email: your@email
# storage: /var/lib/traefik/acme-dns.json
# dnsChallenge:
# provider: ???????

4
vendor.tar.gz
View File

@@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:3e0427bab18e00c659433a0650bb27731acc18f54308005fb8fb2d8181230d41
size 23188316
oid sha256:e8d56542d7c8f8ce5c5d9a6519cf1ec1723a1226d3365bb089329c2bee94b62f
size 22447874