Blog
October 4, 2022

Announcing Traefik Proxy 2.9

With canary deployments for Consul and Nomad, support for ECS Anywhere, default certificate with ACME, and much more!

announcing traefik proxy 2.9

We are excited to announce the general availability of Traefik Proxy 2.9.

We are just a few months away from the next major release of Traefik Proxy 3.0, so for this release, we focused on improving certain integrations and existing features. The 2.9 release is packed with a bunch of improvements and enhancements we believe you’ll enjoy!

Let’s take a look.

proxy webinar registration hub gopher
Create a Secured Gateway to Your Applications with Traefik HubJoin us to learn how to secure and expose applications and services using a combination of a SaaS network control plane and a lightweight, open source agent.Register Today

Native support for canary deployments in Consul and Nomad

When using Consul Catalog or Nomad as a provider of service registration for Traefik, you may want to distinguish within Traefik between a canary instance of a service or a production one.

It is now possible to tag a service as canary, meaning that a separate service will be created internally, so they aren’t mixed in the same load balancer. Previously, tagging canary deployments took a lot of manual configuration. Now, this is done automatically.

This option is provided as one of the values of the canary_tags field in the Nomad service stanza, allowing Traefik to identify that the associated instance is a canary one.

Here is an example of a Nomad configuration with canary enabled:

service {
  name = "my-app"
  port = "http"

  tags = [
    "traefik.enable=true",
    "traefik.http.routers.myapp.rule=Host(`myapp.mydomain`)",
    "traefik.http.routers.myapp.entrypoints=web",
  ]

  canary_tags = [
    "traefik.nomad.canary=true",
    "traefik.enable=true",
    "traefik.http.routers.myapp.rule=Host(`myapp-canary.mydomain`)",
    "traefik.http.routers.myapp.entrypoints=web",
  ]
#[...]
}

Default certificate with ACME

Up until now, the only way to define the default certificate whenever there is no match for the domain in an incoming request was to specify the certificate file and key paths directly in the Traefik dynamic configuration file, like this:

tls:
  stores:
    default:
      defaultCertificate:
        certFile: path/to/cert.crt
        keyFile: path/to/cert.key

With Traefik Proxy 2.9 it is now possible to use certificate resolver to generate the default certificate automatically for you.

tls:
  stores:
    default:
      defaultCertResolver: myresolver
      defaultCertDomain:
        main: mydomain.com
        sans: 
          - www.mydomain.com
          - foo.mydomain.com

This option is particularly handy if you need to tell Traefik to assume a given fallback SNI name if none was sent by the peer (e.g., Redis).

TLS 1.0 and 1.1 now disabled by default

Starting from Traefik Proxy 2.9, the default TLS minimum version for the client/server negotiation is TLS 1.2, and Traefik proxy will be rejecting client connections trying to establish using TLS 1.0 or 1.1.

TLS 1.0 and 1.1 are severely outdated protocols, and they pose security risks. Previously, in order to avoid known vulnerabilities targeting those older versions, Traefik Proxy users had to define a custom TLS option or replace the default one. While you can still manually allow older versions if you need them (for example, if you are running legacy systems that require the older versions of TLS), removing TLS 1.0 and 1.1 from the default version goes a long way to making Traefik Proxy secure by default and allowing new users to get a more secure instance out of the box.

New observability metric for the request size

Being able to measure the amount of data passing through a proxy instance can be really helpful or even a must-have feature in many use cases — from system admins monitoring production environments, to SaaS platform admins that work with API consumption-based price.

Starting with Traefik Proxy 2.9, you’ll have an easy way to track usage with a new metric that contains the total request size — in bytes handled by requests and responses — and is available in the entrypoint, as well as in the router and service levels.

If you already use one of the available observability backends, by upgrading Traefik, this new metric will be automatically available with no additional configuration required. Otherwise, please check the Traefik Proxy documentation for detailed instructions.

Support for ECS Anywhere

With Traefik Proxy 2.9 we are extending our support for the ECS provider by adding support for ECS Anywhere. ECS Anywhere is a feature from the Amazon Elastic Container Service which enables you to run and manage container workloads on your own infrastructure.

Once enabled, Traefik Proxy will now fetch the correct IP addresses for the on-premise instances connected to ECS, allowing users to expose services and making it possible for Traefik Proxy to reach them from the network layer.

#Static configuration
providers:
  ecs:
    ecsAnywhere: true

But wait… there’s more!

I said that this release only brings enhancements and improvements, but I didn’t say how many! There are many more minor improvements introduced in Traefik Proxy 2.9. Find the list below or check out the full changelog for all the details.

  • Host mode networking with Podman
  • IPV6 addresses support in Docker
  • Updated quic-go, which now supports QUIC version 2 and WebTransport over HTTP3
  • Health check can now select the HTTP method to be used
  • Updated Yaegi to 0.14.2, which contains some much-needed fix to enable websocket apps behind a plugin
  • UI now displays if the default TLS option is in use
  • The order of the servers in the load balancer is now random upon creation
  • Extended from Traefik Enterprise: Support for Datadog global tags

Next steps

Coming up next is Traefik Proxy 3.0! We aim for 3.0 to be our best work yet, mostly thanks to the amazing Traefik community who has tirelessly helped improve Traefik Proxy.

So, if you are a long-time contributor, or you’re just looking for an opportunity to get involved, we would love your help. Check out the Traefik Proxy public roadmap to find out what we have in store for the 3.0 release. New ideas, of course, are always welcome!

Thank you to all contributors and maintainers, and a big thank you to our own Traefik Proxy team for their incredible work over the years. To get started with Traefik Proxy 2.9, check out the release notes, and our documentation pages, and don’t forget to visit the Forum for all the latest community topics.

Stay tuned!



About the Author

Latest from Traefik Labs

How Traefik Labs is Pioneering the Kubernetes Gateway API Revolution
Blog

How Traefik Labs is Pioneering the Kubernetes Gateway API Revolution

Read more
Traefik Proxy v3.2 - A Munster Release
Blog

Traefik Proxy v3.2 - A Munster Release

Read more
GitOps-Driven Runtime API Governance: The Secret Sauce for Scale
Webinar

GitOps-Driven Runtime API Governance: The Secret Sauce for Scale

Watch now

Traefik Labs uses cookies to improve your experience. By continuing to browse the site you are agreeing to our use of cookies. Find out more in the Cookie Policy.