Blog

Traefik Proxy 2.4 Adds Advanced mTLS, Kubernetes Service APIs, and More

Traefik 2.4

We are happy to announce the general availability of Traefik 2.4, the latest version of our cloud-native application proxy. This release adds many nice enhancements, such as Proxy Protocol support on TCP Services, advanced support for mTLS, initial support for the new Kubernetes Service APIs, and last but not least, more than 12 enhancements from our beloved community.

Proxy Protocol Support on TCP Services

Traefik already works with the Proxy Protocol on its EntryPoints on HTTP services, which is the standard mechanism that preserves an incoming request’s IP address when operators chain load balancers or proxies after one another. However, when forwarding SMTP connections to a service running behind Traefik, for example, it's nice to preserve the source IP as well, e.g., for spam detection. With Traefik 2.4, this is now possible.

[tcp.services.TCPService01.loadBalancer]
terminationDelay = 42
[tcp.services.TCPService01.loadBalancer.proxyProtocol]
version = 2

You can find more information about it in our documentation.

Advanced Support for mTLS

Until now, Traefik utilized the same transport for forwarding connections to your services, making it hard to implement mTLS in a dynamic environment. With this release, it is now possible to directly configure the Servers Transport mechanism and enable mTLS in such environments. This feature is also what makes it possible to integrate directly with Consul Connect.

  [http.serversTransports]
    [http.serversTransports.ServersTransport0]
      serverName = "foobar"
      insecureSkipVerify = true
      rootCAs = ["foobar", "foobar"]
      maxIdleConnsPerHost = 42

      [[http.serversTransports.ServersTransport0.certificates]]
        certFile = "foobar"
        keyFile = "foobar"

Initial Support for Kubernetes Service APIs

As we discussed in June last year, momentum inside the Kubernetes Community has been building to work on a new standard that enhances the well-known Ingress to address more complex use cases. This new standard, the Gateway part of the new Service APIs, is now available in a first alpha release. At Traefik Labs, we worked together with the SIG community to build one of the first experimental integrations with this new API set. This feature can now be used similarly to every other provider in Traefik to receive dynamic configuration from these new APIs.

We’ll provide more information on this topic soon, with a how-to guide in a dedicated blog post.

Enhancements from the Community

We have more than 12 enhancements from the community packaged in this release. Naming all of them would be a bit too ambitious, but we want to highlight the biggest ones here. We already mentioned one of the most significant contributions from the community above. It's the support for Proxy Protocol on TCP services, contributed by Matthias Schneider. Next comes a PR from Marco Cameriero to display the selected Proxy Protocol version inside the Traefik Dashboard. In addition, Daniel Adams introduced an exponential backoff in the Retry Middleware, and Nikita Konev added the option to filter ForwardAuth request headers.

A big thank you to all of you who have contributed to the project, whether named here specifically or not, for your generous contributions. Without you, this release would not have nearly the number of features it now has.

What’s Coming Next?

What comes after 2.4? Right, the planning for 2.5. There are some topics on the horizon that need addressing. To name just a few:

  • Migrate to networking/v1 on Kubernetes
  • HTTP/3
  • Revamped documentation
  • More community contributions

A Word of Warning

As mentioned above, we are currently migrating the Traefik Kubernetes provider to work with the networking/v1 API internally. With this change, we anticipate having to break compatibility with Kubernetes 1.13 and below. If you are still using these early versions of Kubernetes, please consider upgrading.