Announcing Traefik Proxy 2.9
With canary deployments for Consul and Nomad, support for ECS Anywhere, default certificate with ACME, and much more!
We are excited to announce the general availability of Traefik Proxy 2.9.
We are just a few months away from the next major release of Traefik Proxy 3.0, so for this release, we focused on improving certain integrations and existing features. The 2.9 release is packed with a bunch of improvements and enhancements we believe you’ll enjoy!
Let’s take a look.
Native support for canary deployments in Consul and Nomad
When using Consul Catalog or Nomad as a provider of service registration for Traefik, you may want to distinguish within Traefik between a canary instance of a service or a production one.
It is now possible to tag a service as canary, meaning that a separate service will be created internally, so they aren’t mixed in the same load balancer. Previously, tagging canary deployments took a lot of manual configuration. Now, this is done automatically.
This option is provided as one of the values of the canary_tags
field in the Nomad service stanza, allowing Traefik to identify that the associated instance is a canary one.
Here is an example of a Nomad configuration with canary enabled:
service {
name = "my-app"
port = "http"
tags = [
"traefik.enable=true",
"traefik.http.routers.myapp.rule=Host(`myapp.mydomain`)",
"traefik.http.routers.myapp.entrypoints=web",
]
canary_tags = [
"traefik.nomad.canary=true",
"traefik.enable=true",
"traefik.http.routers.myapp.rule=Host(`myapp-canary.mydomain`)",
"traefik.http.routers.myapp.entrypoints=web",
]
#[...]
}
Default certificate with ACME
Up until now, the only way to define the default certificate whenever there is no match for the domain in an incoming request was to specify the certificate file and key paths directly in the Traefik dynamic configuration file, like this:
tls:
stores:
default:
defaultCertificate:
certFile: path/to/cert.crt
keyFile: path/to/cert.key
With Traefik Proxy 2.9 it is now possible to use certificate resolver to generate the default certificate automatically for you.
tls:
stores:
default:
defaultCertResolver: myresolver
defaultCertDomain:
main: mydomain.com
sans:
- www.mydomain.com
- foo.mydomain.com
This option is particularly handy if you need to tell Traefik to assume a given fallback SNI name if none was sent by the peer (e.g., Redis).
TLS 1.0 and 1.1 now disabled by default
Starting from Traefik Proxy 2.9, the default TLS minimum version for the client/server negotiation is TLS 1.2, and Traefik proxy will be rejecting client connections trying to establish using TLS 1.0 or 1.1.
TLS 1.0 and 1.1 are severely outdated protocols, and they pose security risks. Previously, in order to avoid known vulnerabilities targeting those older versions, Traefik Proxy users had to define a custom TLS option or replace the default one. While you can still manually allow older versions if you need them (for example, if you are running legacy systems that require the older versions of TLS), removing TLS 1.0 and 1.1 from the default version goes a long way to making Traefik Proxy secure by default and allowing new users to get a more secure instance out of the box.
New observability metric for the request size
Being able to measure the amount of data passing through a proxy instance can be really helpful or even a must-have feature in many use cases — from system admins monitoring production environments, to SaaS platform admins that work with API consumption-based price.
Starting with Traefik Proxy 2.9, you’ll have an easy way to track usage with a new metric that contains the total request size — in bytes handled by requests and responses — and is available in the entrypoint, as well as in the router and service levels.
If you already use one of the available observability backends, by upgrading Traefik, this new metric will be automatically available with no additional configuration required. Otherwise, please check the Traefik Proxy documentation for detailed instructions.
Support for ECS Anywhere
With Traefik Proxy 2.9 we are extending our support for the ECS provider by adding support for ECS Anywhere. ECS Anywhere is a feature from the Amazon Elastic Container Service which enables you to run and manage container workloads on your own infrastructure.
Once enabled, Traefik Proxy will now fetch the correct IP addresses for the on-premise instances connected to ECS, allowing users to expose services and making it possible for Traefik Proxy to reach them from the network layer.
#Static configuration
providers:
ecs:
ecsAnywhere: true
But wait… there’s more!
I said that this release only brings enhancements and improvements, but I didn’t say how many! There are many more minor improvements introduced in Traefik Proxy 2.9. Find the list below or check out the full changelog for all the details.
- Host mode networking with Podman
- IPV6 addresses support in Docker
- Updated quic-go, which now supports QUIC version 2 and WebTransport over HTTP3
- Health check can now select the HTTP method to be used
- Updated Yaegi to 0.14.2, which contains some much-needed fix to enable websocket apps behind a plugin
- UI now displays if the default TLS option is in use
- The order of the servers in the load balancer is now random upon creation
- Extended from Traefik Enterprise: Support for Datadog global tags
Next steps
Coming up next is Traefik Proxy 3.0! We aim for 3.0 to be our best work yet, mostly thanks to the amazing Traefik community who has tirelessly helped improve Traefik Proxy.
So, if you are a long-time contributor, or you’re just looking for an opportunity to get involved, we would love your help. Check out the Traefik Proxy public roadmap to find out what we have in store for the 3.0 release. New ideas, of course, are always welcome!
Thank you to all contributors and maintainers, and a big thank you to our own Traefik Proxy team for their incredible work over the years. To get started with Traefik Proxy 2.9, check out the release notes, and our documentation pages, and don’t forget to visit the Forum for all the latest community topics.
Stay tuned!