patch traefik for SNI wildcard

5 years ago · 2d918393e6
2 changed files with 95 additions and 12 deletions
--- a/rpmbuild/SOURCES/traefik-sni.patch
+++ b/rpmbuild/SOURCES/traefik-sni.patch
@ -0,0 +1,69 @@
+diff --git a/integration/fixtures/tcp/mixed.toml b/integration/fixtures/tcp/mixed.toml
+index 38d852e7..0e02b45f 100644
+--- a/integration/fixtures/tcp/mixed.toml
+++ b/integration/fixtures/tcp/mixed.toml
+@@ -56,6 +56,13 @@
+       entryPoints = [ "tcp" ]
+       [tcp.routers.to-whoami-no-cert.tls]
+ 
+    [tcp.routers.to-whoami-wildcard]
+      rule = "HostSNI(`*.whoami-a.test`)"
+      service = "whoami-a"
+      entryPoints = [ "tcp" ]
+      [tcp.routers.to-whoami-wildcard.tls]
+        passthrough = true
+
+     [tcp.services.whoami-a.loadBalancer]
+       [[tcp.services.whoami-a.loadBalancer.servers]]
+         address = "localhost:8081"
+diff --git a/integration/tcp_test.go b/integration/tcp_test.go
+index 16b1c8e4..dc834abc 100644
+--- a/integration/tcp_test.go
+++ b/integration/tcp_test.go
+@@ -50,6 +50,11 @@ func (s *TCPSuite) TestMixed(c *check.C) {
+ 	c.Assert(err, checker.IsNil)
+ 	c.Assert(out, checker.Contains, "whoami-no-cert")
+ 
+	// Traefik passes through, termination of wildcard match handled by whoami-a
+	out, err = guessWho("127.0.0.1:8093", "wildcard.whoami-a.test", true)
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, "whoami-a")
+
+ 	tr1 := &http.Transport{
+ 		TLSClientConfig: &tls.Config{
+ 			InsecureSkipVerify: true,
+diff --git a/pkg/tcp/router.go b/pkg/tcp/router.go
+index ea0f406e..c3ca22ce 100644
+--- a/pkg/tcp/router.go
+++ b/pkg/tcp/router.go
+@@ -69,7 +69,7 @@ func (r *Router) ServeTCP(conn WriteCloser) {
+ 	// FIXME Optimize and test the routing table before helloServerName
+ 	serverName = types.CanonicalDomain(serverName)
+ 	if r.routingTable != nil && serverName != "" {
+-		if target, ok := r.routingTable[serverName]; ok {
+		if target, ok := r.GetTarget(serverName); ok {
+ 			target.ServeTCP(r.GetConn(conn, peeked))
+ 			return
+ 		}
+@@ -88,6 +88,21 @@ func (r *Router) ServeTCP(conn WriteCloser) {
+ 	}
+ }
+ 
+// GetTarget finds a matching target allowing for wildcard domains.
+func (r *Router) GetTarget(serverName string) (Handler, bool) {
+	if target, ok := r.routingTable[serverName]; ok {
+		return target, true
+	}
+
+	for targetName, target := range r.routingTable {
+		if strings.HasPrefix(targetName, "*.") && strings.HasSuffix(serverName, targetName[1:]) {
+			return target, true
+		}
+	}
+
+	return nil, false
+}
+
+ // AddRoute defines a handler for a given sniHost (* is the only valid option).
+ func (r *Router) AddRoute(sniHost string, target Handler) {
+ 	if r.routingTable == nil {
--- a/rpmbuild/SPECS/traefik.spec
+++ b/rpmbuild/SPECS/traefik.spec
@ -1,23 +1,32 @@
+%global        goipath github.com/traefik/traefik/v2
+Version:       2.3.6
+
+%gometa
+
+%global common_description %{expand: Traefik (pronounced traffic) is a modern
+HTTP reverse proxy and load balancer that makes deploying microservices easy.
+Traefik integrates with your existing infrastructure components (Docker,
+Swarm mode, Kubernetes, Marathon, Consul, Etcd, Rancher, Amazon ECS, ...)
+and configures itself automatically and dynamically. Pointing Traefik at your
+orchestrator should be the only onfiguration step you need.}
+
 Name:       traefik
-Version:    2.3.4
-Release:    itix2
+Release:    itix1
 Summary:    The Cloud Native Application Proxy
 License:    MIT
-Source0:    https://github.com/traefik/%{name}/releases/download/v%{version}/%{name}_v%{version}_linux_amd64.tar.gz
 ExclusiveArch: x86_64
+URL:        %{gourl}
+Source0:    %{gosource}
 Source1:    traefik.service
 Source2:    traefik.yaml
+Patch0:     traefik-sni.patch
 Requires(pre): shadow-utils
 BuildRequires: systemd
+BuildRequires: breezy
+BuildRequires: golang >= 1.15

 %description
-
-Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer
-that makes deploying microservices easy. Traefik integrates with your existing
-infrastructure components (Docker, Swarm mode, Kubernetes, Marathon, Consul,
-Etcd, Rancher, Amazon ECS, ...) and configures itself automatically and
-dynamically. Pointing Traefik at your orchestrator should be the only 
-onfiguration step you need.
+%{common_description}

 # Since we don't recompile from source, disable the build_id checking
 %global _missing_build_ids_terminate_build 0
@ -25,17 +34,22 @@ onfiguration step you need.
 %global debug_package %{nil}

 %prep
-%setup -q -c
+%setup -c
+%goprep
+%patch0 -p1
 cp %{S:1} %{name}.service
 cp %{S:2} %{name}.yaml

 %build
+GO111MODULE=off go get github.com/containous/go-bindata/...
+go generate
+CGO_ENABLED=0 GO111MODULE=on go build -o %{gobuilddir}/traefik %{goipath}/cmd/traefik

 %install
 install -d %{buildroot}/opt/%{name}/etc/
 install -d %{buildroot}/opt/%{name}/etc/conf.d
 install -d %{buildroot}/srv/%{name}/
-install -D traefik %{buildroot}/opt/%{name}/bin/traefik
+install -D %{gobuilddir}/traefik %{buildroot}/opt/traefik/bin/traefik
 install -D -m 0644 %{name}.service %{buildroot}%{_unitdir}/%{name}.service
 install -D -m 0644 %{name}.yaml %{buildroot}/opt/%{name}/etc/%{name}.yaml
 touch %{buildroot}/opt/%{name}/etc/%{name}.env