Merge pull request #168 from emilevauge/add-marathon-basic-authentication

Add basic authentication support in Marathon

Dockerfile

@@ -1,4 +1,5 @@
 FROM scratch
 COPY script/ca-certificates.crt /etc/ssl/certs/
 COPY dist/traefik /
+EXPOSE 80
 ENTRYPOINT ["/traefik"]

build.Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.5
+FROM golang:1.5.3
 
 RUN go get github.com/Masterminds/glide
 RUN go get github.com/mitchellh/gox

configuration.go

@@ -16,7 +16,7 @@ type GlobalConfiguration struct {
 	GraceTimeOut              int64
 	AccessLogsFile            string
 	TraefikLogsFile           string
-	CertFile, KeyFile         string
+	Certificates              []Certificate
 	LogLevel                  string
 	ProvidersThrottleDuration time.Duration
 	Docker                    *provider.Docker
@@ -29,6 +29,12 @@ type GlobalConfiguration struct {
 	Boltdb                    *provider.BoltDb
 }
 
+// Certificate holds a SSL cert/key pair
+type Certificate struct {
+	CertFile string
+	KeyFile  string
+}
+
 // NewGlobalConfiguration returns a GlobalConfiguration with default values.
 func NewGlobalConfiguration() *GlobalConfiguration {
 	globalConfiguration := new(GlobalConfiguration)

docs/index.md

@@ -102,10 +102,12 @@ For example:
 #
 # logLevel = "ERROR"
 
-# SSL certificate and key used
+# SSL certificates and keys
+# You may add several certificate/key pairs to terminate HTTPS for multiple domain names using TLS SNI
 #
 # Optional
 #
+# [[certificates]]
 # CertFile = "traefik.crt"
 # KeyFile = "traefik.key"
 
@@ -241,6 +243,11 @@ address = ":8080"
 #
 # CertFile = "traefik.crt"
 # KeyFile = "traefik.key"
+#
+# Set REST API to read-only mode
+#
+# Optional
+# ReadOnly = false
 ```
 
 - `/`: provides a simple HTML frontend of Træfik
@@ -480,7 +487,8 @@ domain = "marathon.localhost"
 Labels can be used on containers to override default behaviour:
 
 - `traefik.backend=foo`: assign the application to `foo` backend
-- `traefik.port=80`: register this port. Useful when the application exposes multiples ports.
+- `traefik.portIndex=1`: register port by index in the application's ports array. Useful when the application exposes multiple ports.
+- `traefik.port=80`: register the explicit application port value. Cannot be used alongside `traefik.portIndex`.
 - `traefik.protocol=https`: override the default `http` protocol
 - `traefik.weight=10`: assign this weight to the application
 - `traefik.enable=false`: disable this application in Træfɪk
@@ -508,7 +516,7 @@ Træfɪk can be configured to use Consul as a backend configuration:
 #
 # Required
 #
-endpoint = "http://127.0.0.1:8500"
+endpoint = "127.0.0.1:8500"
 
 # Enable watch Consul changes
 #

glide.yaml

@@ -43,7 +43,7 @@ import:
   - package: github.com/alecthomas/units
     ref:     6b4e7dc5e3143b85ea77909c72caf89416fc2915
   - package: github.com/gambol99/go-marathon
-    ref:     0ba31bcb0d7633ba1888d744c42990eb15281cf1
+    ref:     8ce3f764250b2de3f2c627d12ca7dd21bd5e7f93
   - package: github.com/mailgun/predicate
     ref:     cb0bff91a7ab7cf7571e661ff883fc997bc554a3
   - package: github.com/thoas/stats
@@ -142,3 +142,8 @@ import:
   - package: github.com/codahale/hdrhistogram
     ref:     954f16e8b9ef0e5d5189456aa4c1202758e04f17
   - package: github.com/gorilla/websocket
+  - package: github.com/donovanhide/eventsource
+    ref:     d8a3071799b98cacd30b6da92f536050ccfe6da4
+  - package: github.com/golang/glog
+    ref:     fca8c8854093a154ff1eb580aae10276ad6b1b5f
+

integration/fixtures/https/https_sni.toml

@@ -0,0 +1,32 @@
+port = ":443"
+logLevel = "DEBUG"
+
+[[certificates]]
+CertFile = "fixtures/https/snitest.com.cert"
+KeyFile = "fixtures/https/snitest.com.key"
+
+[[certificates]]
+CertFile = "fixtures/https/snitest.org.cert"
+KeyFile = "fixtures/https/snitest.org.key"
+
+[file]
+
+[backends]
+  [backends.backend1]
+    [backends.backend1.servers.server1]
+    url = "http://127.0.0.1:9010"
+  [backends.backend2]
+    [backends.backend2.servers.server1]
+    url = "http://127.0.0.1:9020"
+
+[frontends]
+  [frontends.frontend1]
+  backend = "backend1"
+    [frontends.frontend1.routes.test_1]
+    rule = "Host"
+    value = "snitest.com"
+  [frontends.frontend2]
+  backend = "backend2"
+    [frontends.frontend2.routes.test_2]
+    rule = "Host"
+    value = "snitest.org"

integration/fixtures/https/snitest.com.cert

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/zCCAeegAwIBAgIJAL858pci5XyjMA0GCSqGSIb3DQEBBQUAMBYxFDASBgNV
+BAMMC3NuaXRlc3QuY29tMB4XDTE1MTEyMzIyMDU1NloXDTI1MTEyMDIyMDU1Nlow
+FjEUMBIGA1UEAwwLc25pdGVzdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDVF25wEroSIUO/dNgHxlyt8pZFVpJ8fNaJw7cnlZ1JP2hLuEbmjAFT
+dHqS8wKDNYHktsBEOUfN/qbk0AiGb+SvhQw6kfM/QSj9fXVQ7KhYP9XYOekTOH7d
+M0Z2L3RGgqs8z+83exOOnAFVvIJCMZJXEeijV6iJlmpCcJa0Kg/JHlxhoWTEeZuU
+G+hITafk1yWOKorTCPlMhB30wuQoWfbHP+3G0bsERLXFiMANE8EtQu8+ZhfseBUh
+5Tu5gIC4Fnria7mRixAZeEiAblFP9h0vrNRcP3nmuVz0tHPIeQsJQiEhxaZ09oUW
+h9WqTsYCP1821+SVazM9oFRTpy6chZyTAgMBAAGjUDBOMB0GA1UdDgQWBBSz9mbX
+ia1TM5FG4Zgagaet24S8HDAfBgNVHSMEGDAWgBSz9mbXia1TM5FG4Zgagaet24S8
+HDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQB79W8XTxlozh9w/W7T
+5vDev67G4T/wetABSb68CRrqojt78PMJuS89JarA8I3ts00O+0JYnsHxp+9qC7pf
+jWHcDSiLwRUMu7MXW/KIen1EB8BQNA0xWbAiQaWYPHzsBlX48+9wBe0HTDx7Lcxb
+OsmnXHBF5fd2EY+R8qJu+PyTDDL1WLItFJpzHiFiGiYF8Tyic3kkPjje6eIOxRmT
+hq+qbwApzbzz6h/VD5xR3zBDFBo2Xs5tdP264KIw/YXDpaXVBiJ5DDjQ3dtJw1G5
+yzgrHQZWJN8Gs8ZZgGdgRf7PHox8xEZtqPiMkChDz6T7Ha3U0xYN6TZGNZOR6DHs
+K9/8
+-----END CERTIFICATE-----

integration/fixtures/https/snitest.com.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA1RducBK6EiFDv3TYB8ZcrfKWRVaSfHzWicO3J5WdST9oS7hG
+5owBU3R6kvMCgzWB5LbARDlHzf6m5NAIhm/kr4UMOpHzP0Eo/X11UOyoWD/V2Dnp
+Ezh+3TNGdi90RoKrPM/vN3sTjpwBVbyCQjGSVxHoo1eoiZZqQnCWtCoPyR5cYaFk
+xHmblBvoSE2n5NcljiqK0wj5TIQd9MLkKFn2xz/txtG7BES1xYjADRPBLULvPmYX
+7HgVIeU7uYCAuBZ64mu5kYsQGXhIgG5RT/YdL6zUXD955rlc9LRzyHkLCUIhIcWm
+dPaFFofVqk7GAj9fNtfklWszPaBUU6cunIWckwIDAQABAoIBABAdQYDAKcoNMe5c
+i6mq2n9dBPghX9qCJkcswcEAk3BilySCvvnYRJFnEY3jSqFZfoUpPMjr+/4b78sF
+4F8qPwT27sHPH7H833ir8B86hlCGI0nCt1l4wD9CDWYKmKRsZT6oCtMLP6NdMMyn
+AMK4tPRYqlsP2fLtqQN1ODBPrfnraoNHtOVE784iBCD5dewICA5RIQG2i/d2+CGF
++bahFqUXVCqHoxBz4AVvrRFL99VcP7P2iZyk6hDQ7fci7Xay8Wb/HutRxuqvF0aU
+bG6Enk6CCtNZHLwNPp4Hqft0Udvg2tG8okYwbEmoEO40nQsCSzRCpq5Uvzi+LX1k
+LykQ6+ECgYEA7x8vQoyOK60Q3LPpJFGDec2+XJPoesTfJTT6idaP7ukUL8p3FsUo
+9vtxRRfhSOdPoAINmrL0TyMekO2B6zXx0pmWVpMrFwZW6zMwZAnLp/w+3USpbGCy
+K12IIwvRYzTzKwoMTVAKTXm36b6oqr2La4bTdJR7REY6G374FrJb/H0CgYEA5CHk
+Ym0h7cf00fw9UEHRfzUZxmCfRWY6K8InOuHdLi+u4TiyXzs8x5s0e/DN/raNmTGx
+QO81UzuS3nKwc4n5QyXjVnhzR5DbbSACDwHtdnxZByL0D1KvPjtRF8F+rWXViXv2
+TM7UiOmn6R375FPSAPxeyMx8Womc3EnAAfLWGk8CgYEAv8I2WBv3dzcWqqbsdF+a
+G/fOjNdgO/PdLy1JLXiPfHwV4C1xSyVZMJd7wnjgBWLaC+sZldGk8kGrpXWSFlnw
+T38zfMIQcCp5Uax/RfpFA7XZhAAoDe2NdBFRtyknBXPU/dLVArsJSBAwWJa5FBNk
+1xoMQRVBtQLMXnh341utQNECgYEA4o1R2/ka16NaWmpPjXM/lD9skFgF84p4vFn8
+UXpaB3LtDdcbNH2Ed4mHToouWAR8jCUQLTcg0r53tRdaafMcKfXnVUka2nhdoHpH
+8RVt99u3IeIxU0I+q+OGPbw3jAV0UStcxpwj7q9zw4q2SuJ+y+HUUz7XQ6Yjs5Q9
+7PF2c/sCgYEAhdVn5gZ5FvYKrBi46t3pxPsWK476HmQEVHVi5+od7wg+araDelAe
+8QE8hc8qdZGbjdB/AHSPCeUxfO2vnpsCoSRs29o6pDvQuqvHYs+M53l5LEYeOjof
+t6J/DK5Pim2CAFjYFcZk8/Gyl5HjTw3PpdWxoPD5v2Xw3bbY57IIbm4=
+-----END RSA PRIVATE KEY-----

integration/fixtures/https/snitest.org.cert

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/zCCAeegAwIBAgIJALAYHG/vGqWEMA0GCSqGSIb3DQEBBQUAMBYxFDASBgNV
+BAMMC3NuaXRlc3Qub3JnMB4XDTE1MTEyMzIyMDU0NFoXDTI1MTEyMDIyMDU0NFow
+FjEUMBIGA1UEAwwLc25pdGVzdC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQC8b2Qv68Xnv4wgJ6HNupxABSUA5KXmv9g7pwwsFMSOK15o2qGFzx/x
+9loIi5pMIYIy4SVwJNrYUi772nCYMqSIVXlwct/CE70j2Jb2geIHu3jHbFWXruWb
+W1tGGUYzvnsOUziPE3rLWa/NObNYLLlUKJaxfHrxnpuKpQUsXzoLl25cJEVr4jg2
+ZITpdraxaBLisdlWY7EwwHBLu2nxH5Rn+nIjenFfdUwKF9s5dGy63tfBc8LX9yJk
++kOwy1al/Wxa0DUb6rSt0QDCcD+rXnjk2zWPtsHz1btwtqM+FLtN5z0Lmnx7DF3C
+tCf1TMzduzZ6aeHk77zc664ZQun5cH33AgMBAAGjUDBOMB0GA1UdDgQWBBRn/nNz
+PUsmDKmKv3GGo3km5KKvUDAfBgNVHSMEGDAWgBRn/nNzPUsmDKmKv3GGo3km5KKv
+UDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBkuutIcbBdESgvNLLr
+k/8HUDuFm72lYHZFE+c76CxqYN52w02NCTiq1InoDUvqZXb/StATBwRRduTUPCj9
+KUkC7pOjAFxjzjExsHrtZSq01WinrxNI+qSKvI8jFngMHnwN1omTt7/D7nxeW5Of
+FJTkElnxtELAGHoIwZ+bKprnexefpn9UW84VJvJ2crSR63vBvdTrgsrEGW6kQj1I
+62laDpax4+x8t2h+sfG6uNIA1cFrG8Sk+O2Bi3ogB7Y/4e8r6WA23IRP+aSv0J2b
+k5fvuuXbIc979pQOoO03zG0S7Wpmpsw+9dQB9TOxGITOLfCZwEuIhnv+M9lLqCks
+7H2A
+-----END CERTIFICATE-----

integration/fixtures/https/snitest.org.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAvG9kL+vF57+MICehzbqcQAUlAOSl5r/YO6cMLBTEjiteaNqh
+hc8f8fZaCIuaTCGCMuElcCTa2FIu+9pwmDKkiFV5cHLfwhO9I9iW9oHiB7t4x2xV
+l67lm1tbRhlGM757DlM4jxN6y1mvzTmzWCy5VCiWsXx68Z6biqUFLF86C5duXCRF
+a+I4NmSE6Xa2sWgS4rHZVmOxMMBwS7tp8R+UZ/pyI3pxX3VMChfbOXRsut7XwXPC
+1/ciZPpDsMtWpf1sWtA1G+q0rdEAwnA/q1545Ns1j7bB89W7cLajPhS7Tec9C5p8
+ewxdwrQn9UzM3bs2emnh5O+83OuuGULp+XB99wIDAQABAoIBAGOn9bByXQQnhZAr
+5aLMIn6pOdyzEBptM4q42fMmOJ2HyjJiDjKaTCbHRu5mBoBk6FrIP+iDVUo6jKad
+7BZSEjoYGlWiKzyU+97NWWmdX1D/kOzHGq1RzhTPyAHWtA4Bm0sEMFFa2AJbuGIt
+NfBYFtuva6MKVmsamuBETewdoLEnxzzDFcuOaxXRfTC/ikWcYyB4KEWA5fjroUQC
+Llo9/UTGTkh1Hynv9AXY6Qia/RbrIQjKveKCRj6PjxyE/qN9qfmngczz2pK0hRhL
+Z+K06y8G+Yj1I1zm5jNg1kakVQKoBsnaYkmIUBUSmWv6ERotedOWtOAMlOKa+0l2
+DS7Ou2ECgYEA91doi+3XrMVsgyTEm/ArzEyRUfM5dCSvBCRFhO7QQp2OYAbjJk5S
+pmdpqmwTsXNNMU+XNkWCLug5pk0PTJwP0mVLE2fLYqCCXoyaMltQ0Yk2gaun/RwE
+w5EfyMwOQakLFY/ODvduQfyNpaoWgFz4/WPNTVNCGs04LepSGKaFNy0CgYEAwwgV
+jKeFA+QZGooTInyk07ZlAbenEPu/c2y3UUFxclP0CjP2/VBOpz9B62vhzCKbjD1c
+/L3x1CKC4n4lbeyHi4vrF69LX9SHr1Jm0SUtyKeV3g0EAzIWI0HFhVUkMvtbibQ4
+HXrLVCJO77xetQ7RQszss1z9g3WotAAiBMiQgDMCgYBTLjoilOIrYFmV4Q+dwa95
+DWbxwHJZ9NxG8EvQ4N95B7OR578Matqwy6ZlgeM9kiErrDCWN9oIHGEG5HN4uCM6
+BoaxB/8GNCSj13Uj6kHLtfF2ulvMa1fOzUd7J+TDgC4SGkKaFewmlOCuDf1zPdEe
+pimtD4rzqIB0MJFbaOT0IQKBgDBPjlb7IB3ooLdMQJUoXwP6iGa2gXHZioEjCv3b
+wihZ13e3i5UQEYuoRcH1RUd1wyYoBSKuQnsT2WwVZ1wlXSYaELAbQgaI9NtfBA0G
+sqKjsKICg13vSECPiEgQ4Rin3vLra4MR6c/7d6Y2+RbMhtWPQYrkm/+2Y4XDCqo4
+rGK1AoGAOFZ3RVhuwXzFdKNe32LM1wm1eZ7waxjI4bQS2xUN/3C/uWS7A3LaSlc3
+eRG3DaVpez4DQVupZDHMgxJUYqqKynUj6GD1YiaxGROj3TYCu6e7OxyhalhCllSu
+w/X5M802XqzLjeec5zHoZDfknnAkgR9MsxZYmZPFaDyL6GOKUB8=
+-----END RSA PRIVATE KEY-----

integration/https_test.go

@@ -0,0 +1,110 @@
+package main
+
+import (
+	"crypto/tls"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"os/exec"
+	"time"
+
+	checker "github.com/vdemeester/shakers"
+	check "gopkg.in/check.v1"
+)
+
+// HTTPSSuite
+type HTTPSSuite struct{ BaseSuite }
+
+// TestWithSNIConfigHandshake involves a client sending a SNI hostname of
+// "snitest.com", which happens to match the CN of 'snitest.com.crt'. The test
+// verifies that traefik presents the correct certificate.
+func (s *HTTPSSuite) TestWithSNIConfigHandshake(c *check.C) {
+	cmd := exec.Command(traefikBinary, "fixtures/https/https_sni.toml")
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	time.Sleep(500 * time.Millisecond)
+
+	tlsConfig := &tls.Config{
+		InsecureSkipVerify: true,
+		ServerName:         "snitest.com",
+	}
+	conn, err := tls.Dial("tcp", "127.0.0.1:443", tlsConfig)
+	c.Assert(err, checker.IsNil, check.Commentf("failed to connect to server"))
+
+	defer conn.Close()
+	err = conn.Handshake()
+	c.Assert(err, checker.IsNil, check.Commentf("TLS handshake error"))
+
+	cs := conn.ConnectionState()
+	err = cs.PeerCertificates[0].VerifyHostname("snitest.com")
+	c.Assert(err, checker.IsNil, check.Commentf("certificate did not match SNI servername"))
+}
+
+// TestWithSNIConfigRoute involves a client sending HTTPS requests with
+// SNI hostnames of "snitest.org" and "snitest.com". The test verifies
+// that traefik routes the requests to the expected backends.
+func (s *HTTPSSuite) TestWithSNIConfigRoute(c *check.C) {
+	cmd := exec.Command(traefikBinary, "fixtures/https/https_sni.toml")
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	backend1 := startTestServer("9010", 204)
+	backend2 := startTestServer("9020", 205)
+	defer backend1.Close()
+	defer backend2.Close()
+
+	time.Sleep(2000 * time.Millisecond)
+
+	tr1 := &http.Transport{
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: true,
+			ServerName:         "snitest.com",
+		},
+	}
+	tr2 := &http.Transport{
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: true,
+			ServerName:         "snitest.org",
+		},
+	}
+
+	client := &http.Client{Transport: tr1}
+	req, _ := http.NewRequest("GET", "https://127.0.0.1/", nil)
+	req.Host = "snitest.com"
+	req.Header.Set("Host", "snitest.com")
+	req.Header.Set("Accept", "*/*")
+	resp, err := client.Do(req)
+	c.Assert(err, checker.IsNil)
+	// Expected a 204 (from backend1)
+	c.Assert(resp.StatusCode, checker.Equals, 204)
+
+	client = &http.Client{Transport: tr2}
+	req, _ = http.NewRequest("GET", "https://127.0.0.1/", nil)
+	req.Host = "snitest.org"
+	req.Header.Set("Host", "snitest.org")
+	req.Header.Set("Accept", "*/*")
+	resp, err = client.Do(req)
+	c.Assert(err, checker.IsNil)
+	// Expected a 205 (from backend2)
+	c.Assert(resp.StatusCode, checker.Equals, 205)
+}
+
+func startTestServer(port string, statusCode int) (ts *httptest.Server) {
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(statusCode)
+	})
+	listener, err := net.Listen("tcp", "127.0.0.1:"+port)
+	if err != nil {
+		panic(err)
+	}
+
+	ts = &httptest.Server{
+		Listener: listener,
+		Config:   &http.Server{Handler: handler},
+	}
+	ts.Start()
+	return
+}

integration/integration_test.go

@@ -24,6 +24,7 @@ func Test(t *testing.T) {
 
 func init() {
 	check.Suite(&SimpleSuite{})
+	check.Suite(&HTTPSSuite{})
 	check.Suite(&FileSuite{})
 	check.Suite(&DockerSuite{})
 	check.Suite(&ConsulSuite{})

provider/kv.go

@@ -11,7 +11,6 @@ import (
 	"github.com/docker/libkv"
 	"github.com/docker/libkv/store"
 	"github.com/emilevauge/traefik/types"
-	"strconv"
 )
 
 // Kv holds common configurations of key-value providers.
@@ -74,10 +73,9 @@ func (provider *Kv) loadConfig() *types.Configuration {
 		provider.Prefix,
 	}
 	var KvFuncMap = template.FuncMap{
-		"List":    provider.list,
-		"Get":     provider.get,
-		"GetBool": provider.getBool,
-		"Last":    provider.last,
+		"List": provider.list,
+		"Get":  provider.get,
+		"Last": provider.last,
 	}
 
 	configuration, err := provider.getConfiguration("templates/kv.tmpl", KvFuncMap, templateObjects)
@@ -114,16 +112,6 @@ func (provider *Kv) get(keys ...string) string {
 	return string(keyPair.Value)
 }
 
-func (provider *Kv) getBool(keys ...string) bool {
-	value := provider.get(keys...)
-	b, err := strconv.ParseBool(string(value))
-	if err != nil {
-		log.Error("Error getting key: ", strings.Join(keys, ""), err)
-		return false
-	}
-	return b
-}
-
 func (provider *Kv) last(key string) string {
 	splittedKey := strings.Split(key, "/")
 	return splittedKey[len(splittedKey)-1]

provider/kv_test.go

@@ -194,61 +194,6 @@ func TestKvGet(t *testing.T) {
 	}
 }
 
-func TestKvGetBool(t *testing.T) {
-	cases := []struct {
-		provider *Kv
-		keys     []string
-		expected bool
-	}{
-		{
-			provider: &Kv{
-				kvclient: &Mock{
-					KVPairs: []*store.KVPair{
-						{
-							Key:   "foo",
-							Value: []byte("true"),
-						},
-					},
-				},
-			},
-			keys:     []string{"foo"},
-			expected: true,
-		},
-		{
-			provider: &Kv{
-				kvclient: &Mock{
-					KVPairs: []*store.KVPair{
-						{
-							Key:   "foo",
-							Value: []byte("false"),
-						},
-					},
-				},
-			},
-			keys:     []string{"foo"},
-			expected: false,
-		},
-	}
-
-	for _, c := range cases {
-		actual := c.provider.getBool(c.keys...)
-		if actual != c.expected {
-			t.Fatalf("expected %v, got %v for %v and %v", c.expected, actual, c.keys, c.provider)
-		}
-	}
-
-	// Error case
-	provider := &Kv{
-		kvclient: &Mock{
-			Error: true,
-		},
-	}
-	actual := provider.get("anything")
-	if actual != "" {
-		t.Fatalf("Should have return nil, got %v", actual)
-	}
-}
-
 func TestKvLast(t *testing.T) {
 	cases := []struct {
 		key      string

provider/marathon.go

@@ -18,12 +18,19 @@ type Marathon struct {
 	Endpoint         string
 	Domain           string
 	NetworkInterface string
+	Basic            *MarathonBasic
 	marathonClient   lightMarathonClient
 }
 
+// MarathonBasic holds basic authentication specific configurations
+type MarathonBasic struct {
+	HTTPBasicAuthUser string
+	HTTPBasicPassword string
+}
+
 type lightMarathonClient interface {
 	Applications(url.Values) (*marathon.Applications, error)
-	AllTasks() (*marathon.Tasks, error)
+	AllTasks(v url.Values) (*marathon.Tasks, error)
 }
 
 // Provide allows the provider to provide configurations to traefik
@@ -32,6 +39,10 @@ func (provider *Marathon) Provide(configurationChan chan<- types.ConfigMessage)
 	config := marathon.NewDefaultConfig()
 	config.URL = provider.Endpoint
 	config.EventsInterface = provider.NetworkInterface
+	if provider.Basic != nil {
+		config.HTTPBasicAuthUser = provider.Basic.HTTPBasicAuthUser
+		config.HTTPBasicPassword = provider.Basic.HTTPBasicPassword
+	}
 	client, err := marathon.NewClient(config)
 	if err != nil {
 		log.Errorf("Failed to create a client for marathon, error: %s", err)
@@ -85,7 +96,7 @@ func (provider *Marathon) loadMarathonConfig() *types.Configuration {
 		return nil
 	}
 
-	tasks, err := provider.marathonClient.AllTasks()
+	tasks, err := provider.marathonClient.AllTasks((url.Values{"status": []string{"running"}}))
 	if err != nil {
 		log.Errorf("Failed to create a client for marathon, error: %s", err)
 		return nil
@@ -123,20 +134,55 @@ func taskFilter(task marathon.Task, applications *marathon.Applications) bool {
 		log.Debug("Filtering marathon task without port %s", task.AppID)
 		return false
 	}
-	application, errApp := getApplication(task, applications.Apps)
-	if errApp != nil {
+	application, err := getApplication(task, applications.Apps)
+	if err != nil {
 		log.Errorf("Unable to get marathon application from task %s", task.AppID)
 		return false
 	}
-	_, err := strconv.Atoi(application.Labels["traefik.port"])
-	if len(application.Ports) > 1 && err != nil {
-		log.Debugf("Filtering marathon task %s with more than 1 port and no traefik.port label", task.AppID)
-		return false
-	}
 	if application.Labels["traefik.enable"] == "false" {
 		log.Debugf("Filtering disabled marathon task %s", task.AppID)
 		return false
 	}
+
+	//filter indeterminable task port
+	portIndexLabel := application.Labels["traefik.portIndex"]
+	portValueLabel := application.Labels["traefik.port"]
+	if portIndexLabel != "" && portValueLabel != "" {
+		log.Debugf("Filtering marathon task %s specifying both traefik.portIndex and traefik.port labels", task.AppID)
+		return false
+	}
+	if portIndexLabel == "" && portValueLabel == "" && len(application.Ports) > 1 {
+		log.Debugf("Filtering marathon task %s with more than 1 port and no traefik.portIndex or traefik.port label", task.AppID)
+		return false
+	}
+	if portIndexLabel != "" {
+		index, err := strconv.Atoi(application.Labels["traefik.portIndex"])
+		if err != nil || index < 0 || index > len(application.Ports)-1 {
+			log.Debugf("Filtering marathon task %s with unexpected value for traefik.portIndex label", task.AppID)
+			return false
+		}
+	}
+	if portValueLabel != "" {
+		port, err := strconv.Atoi(application.Labels["traefik.port"])
+		if err != nil {
+			log.Debugf("Filtering marathon task %s with unexpected value for traefik.port label", task.AppID)
+			return false
+		}
+
+		var foundPort bool
+		for _, exposedPort := range task.Ports {
+			if port == exposedPort {
+				foundPort = true
+				break
+			}
+		}
+
+		if !foundPort {
+			log.Debugf("Filtering marathon task %s without a matching port for traefik.port label", task.AppID)
+			return false
+		}
+	}
+
 	//filter healthchecks
 	if application.HasHealthChecks() {
 		if task.HasHealthCheckResults() {
@@ -179,7 +225,22 @@ func (provider *Marathon) getLabel(application marathon.Application, label strin
 	return "", errors.New("Label not found:" + label)
 }
 
-func (provider *Marathon) getPort(task marathon.Task) string {
+func (provider *Marathon) getPort(task marathon.Task, applications []marathon.Application) string {
+	application, err := getApplication(task, applications)
+	if err != nil {
+		log.Errorf("Unable to get marathon application from task %s", task.AppID)
+		return ""
+	}
+
+	if portIndexLabel, err := provider.getLabel(application, "traefik.portIndex"); err == nil {
+		if index, err := strconv.Atoi(portIndexLabel); err == nil {
+			return strconv.Itoa(task.Ports[index])
+		}
+	}
+	if portValueLabel, err := provider.getLabel(application, "traefik.port"); err == nil {
+		return portValueLabel
+	}
+
 	for _, port := range task.Ports {
 		return strconv.Itoa(port)
 	}

provider/marathon_test.go

@@ -24,7 +24,7 @@ func (c *fakeClient) Applications(url.Values) (*marathon.Applications, error) {
 	return c.applications, nil
 }
 
-func (c *fakeClient) AllTasks() (*marathon.Tasks, error) {
+func (c *fakeClient) AllTasks(v url.Values) (*marathon.Tasks, error) {
 	if c.tasksError {
 		return nil, errors.New("error")
 	}
@@ -201,6 +201,97 @@ func TestMarathonTaskFilter(t *testing.T) {
 			},
 			expected: false,
 		},
+		{
+			task: marathon.Task{
+				AppID: "specify-port-number",
+				Ports: []int{80, 443},
+			},
+			applications: &marathon.Applications{
+				Apps: []marathon.Application{
+					{
+						ID:    "specify-port-number",
+						Ports: []int{80, 443},
+						Labels: map[string]string{
+							"traefik.port": "80",
+						},
+					},
+				},
+			},
+			expected: true,
+		},
+		{
+			task: marathon.Task{
+				AppID: "specify-unknown-port-number",
+				Ports: []int{80, 443},
+			},
+			applications: &marathon.Applications{
+				Apps: []marathon.Application{
+					{
+						ID:    "specify-unknown-port-number",
+						Ports: []int{80, 443},
+						Labels: map[string]string{
+							"traefik.port": "8080",
+						},
+					},
+				},
+			},
+			expected: false,
+		},
+		{
+			task: marathon.Task{
+				AppID: "specify-port-index",
+				Ports: []int{80, 443},
+			},
+			applications: &marathon.Applications{
+				Apps: []marathon.Application{
+					{
+						ID:    "specify-port-index",
+						Ports: []int{80, 443},
+						Labels: map[string]string{
+							"traefik.portIndex": "0",
+						},
+					},
+				},
+			},
+			expected: true,
+		},
+		{
+			task: marathon.Task{
+				AppID: "specify-out-of-range-port-index",
+				Ports: []int{80, 443},
+			},
+			applications: &marathon.Applications{
+				Apps: []marathon.Application{
+					{
+						ID:    "specify-out-of-range-port-index",
+						Ports: []int{80, 443},
+						Labels: map[string]string{
+							"traefik.portIndex": "2",
+						},
+					},
+				},
+			},
+			expected: false,
+		},
+		{
+			task: marathon.Task{
+				AppID: "specify-both-port-index-and-number",
+				Ports: []int{80, 443},
+			},
+			applications: &marathon.Applications{
+				Apps: []marathon.Application{
+					{
+						ID:    "specify-both-port-index-and-number",
+						Ports: []int{80, 443},
+						Labels: map[string]string{
+							"traefik.port":      "443",
+							"traefik.portIndex": "1",
+						},
+					},
+				},
+			},
+			expected: false,
+		},
 		{
 			task: marathon.Task{
 				AppID: "foo",
@@ -370,29 +461,84 @@ func TestMarathonGetPort(t *testing.T) {
 	provider := &Marathon{}
 
 	cases := []struct {
-		task     marathon.Task
-		expected string
+		applications []marathon.Application
+		task         marathon.Task
+		expected     string
 	}{
 		{
-			task:     marathon.Task{},
+			applications: []marathon.Application{},
+			task:         marathon.Task{},
+			expected:     "",
+		},
+		{
+			applications: []marathon.Application{
+				{
+					ID: "test1",
+				},
+			},
+			task: marathon.Task{
+				AppID: "test2",
+			},
 			expected: "",
 		},
 		{
+			applications: []marathon.Application{
+				{
+					ID: "test1",
+				},
+			},
 			task: marathon.Task{
+				AppID: "test1",
 				Ports: []int{80},
 			},
 			expected: "80",
 		},
 		{
+			applications: []marathon.Application{
+				{
+					ID: "test1",
+				},
+			},
 			task: marathon.Task{
+				AppID: "test1",
 				Ports: []int{80, 443},
 			},
 			expected: "80",
 		},
+		{
+			applications: []marathon.Application{
+				{
+					ID: "specify-port-number",
+					Labels: map[string]string{
+						"traefik.port": "443",
+					},
+				},
+			},
+			task: marathon.Task{
+				AppID: "specify-port-number",
+				Ports: []int{80, 443},
+			},
+			expected: "443",
+		},
+		{
+			applications: []marathon.Application{
+				{
+					ID: "specify-port-index",
+					Labels: map[string]string{
+						"traefik.portIndex": "1",
+					},
+				},
+			},
+			task: marathon.Task{
+				AppID: "specify-port-index",
+				Ports: []int{80, 443},
+			},
+			expected: "443",
+		},
 	}
 
 	for _, c := range cases {
-		actual := provider.getPort(c.task)
+		actual := provider.getPort(c.task, c.applications)
 		if actual != c.expected {
 			t.Fatalf("expected %q, got %q", c.expected, actual)
 		}

templates/kv.tmpl

@@ -28,7 +28,7 @@
     {{$frontend := Last .}}
     [frontends.{{$frontend}}]
     backend = "{{Get . "/backend"}}"
-    passHostHeader = "{{GetBool . "/passHostHeader"}}"
+    passHostHeader = {{Get . "/passHostHeader"}}
     {{$routes := List . "/routes/"}}
         {{range $routes}}
         [frontends.{{$frontend}}.routes.{{Last .}}]

templates/marathon.tmpl

@@ -1,7 +1,7 @@
 {{$apps := .Applications}}
 [backends]{{range .Tasks}}
     [backends.backend{{.AppID | replace "/" "-"}}.servers.server-{{.ID | replace "." "-"}}]
-    url = "{{getProtocol . $apps}}://{{.Host}}:{{getPort .}}"
+    url = "{{getProtocol . $apps}}://{{.Host}}:{{getPort . $apps}}"
     weight = {{getWeight . $apps}}
 {{end}}
 
@@ -9,7 +9,7 @@
   [frontends.frontend{{.ID | replace "/" "-"}}]
   backend = "backend{{.ID | replace "/" "-"}}"
   passHostHeader = {{getPassHostHeader .}}
-    [frontends.frontend-{{.ID | replace "/" ""}}.routes.route-host-{{.ID | replace "/" ""}}]
+    [frontends.frontend{{.ID | replace "/" "-"}}.routes.route-host{{.ID | replace "/" "-"}}]
     rule = "{{getFrontendRule .}}"
     value = "{{getFrontendValue .}}"
-{{end}}
+{{end}}

tests/compose-marathon.yml

@@ -6,7 +6,7 @@ zk:
     ZK_ID: 1
 
 master:
-  image: mesosphere/mesos-master:0.23.0-1.0.ubuntu1404
+  image: mesosphere/mesos-master:0.26.0-0.2.145.ubuntu1404
   net: host
   environment:
     MESOS_ZK: zk://127.0.0.1:2181/mesos
@@ -17,7 +17,7 @@ master:
     MESOS_WORK_DIR: /var/lib/mesos
 
 slave:
-  image: mesosphere/mesos-slave:0.23.0-1.0.ubuntu1404
+  image: mesosphere/mesos-slave:0.26.0-0.2.145.ubuntu1404
   net: host
   pid: host
   privileged: true
@@ -33,7 +33,7 @@ slave:
     - /var/run/docker.sock:/var/run/docker.sock
 
 marathon:
-  image: mesosphere/marathon:v0.9.2
+  image: mesosphere/marathon:v0.13.0
   net: host
   environment:
     MARATHON_MASTER: zk://127.0.0.1:2181/mesos

tests/whoami.json

@@ -10,14 +10,7 @@
       "network": "BRIDGE",
       "portMappings": [
         { "containerPort": 80, "hostPort": 0, "protocol": "tcp" }
-      ],
-      "parameters": [{
-        "key": "log-driver",
-        "value": "gelf"
-      }, {
-        "key": "log-opt",
-        "value": "gelf-address=udp://172.17.42.1:12201"
-      }]
+      ]
     }
   },
   "healthChecks": [
@@ -32,8 +25,6 @@
   ],
   "labels": {
       "traefik.weight": "1",
-      "traefik.protocole": "https",
-      "traefik.frontend.rule": "Path",
-      "traefik.frontend.value": "/test"
+      "traefik.protocole": "http"
   }
 }

traefik.go

@@ -209,35 +209,43 @@ func main() {
 		log.Fatal("Error preparing server: ", er)
 	}
 	go startServer(srv, globalConfiguration)
+	//TODO change that!
+	time.Sleep(100 * time.Millisecond)
 	serverLock.Unlock()
 
 	<-stopChan
 	log.Info("Shutting down")
 }
 
-func createTLSConfig(certFile string, keyFile string) (*tls.Config, error) {
+// creates a TLS config that allows terminating HTTPS for multiple domains using SNI
+func createTLSConfig(certs []Certificate) (*tls.Config, error) {
+	if len(certs) == 0 {
+		return nil, nil
+	}
+
 	config := &tls.Config{}
 	if config.NextProtos == nil {
 		config.NextProtos = []string{"http/1.1"}
 	}
 
 	var err error
-	config.Certificates = make([]tls.Certificate, 1)
-	if len(certFile) > 0 && len(keyFile) > 0 {
-		config.Certificates[0], err = tls.LoadX509KeyPair(certFile, keyFile)
+	config.Certificates = make([]tls.Certificate, len(certs))
+	for i, v := range certs {
+		config.Certificates[i], err = tls.LoadX509KeyPair(v.CertFile, v.KeyFile)
 		if err != nil {
 			return nil, err
 		}
-	} else {
-		return nil, nil
 	}
+	// BuildNameToCertificate parses the CommonName and SubjectAlternateName fields
+	// in each certificate and populates the config.NameToCertificate map.
+	config.BuildNameToCertificate()
 	return config, nil
 }
 
 func startServer(srv *manners.GracefulServer, globalConfiguration *GlobalConfiguration) {
 	log.Info("Starting server")
-	if len(globalConfiguration.CertFile) > 0 && len(globalConfiguration.KeyFile) > 0 {
-		err := srv.ListenAndServeTLS(globalConfiguration.CertFile, globalConfiguration.KeyFile)
+	if srv.TLSConfig != nil {
+		err := srv.ListenAndServeTLSWithConfig(srv.TLSConfig)
 		if err != nil {
 			log.Fatal("Error creating server: ", err)
 		}
@@ -258,7 +266,7 @@ func prepareServer(router *mux.Router, globalConfiguration *GlobalConfiguration,
 		negroni.Use(middleware)
 	}
 	negroni.UseHandler(router)
-	tlsConfig, err := createTLSConfig(globalConfiguration.CertFile, globalConfiguration.KeyFile)
+	tlsConfig, err := createTLSConfig(globalConfiguration.Certificates)
 	if err != nil {
 		log.Fatalf("Error creating TLS config %s", err)
 		return nil, err
@@ -273,8 +281,9 @@ func prepareServer(router *mux.Router, globalConfiguration *GlobalConfiguration,
 			}), nil
 	}
 	server, err := oldServer.HijackListener(&http.Server{
-		Addr:    globalConfiguration.Port,
-		Handler: negroni,
+		Addr:      globalConfiguration.Port,
+		Handler:   negroni,
+		TLSConfig: tlsConfig,
 	}, tlsConfig)
 	if err != nil {
 		log.Fatalf("Error hijacking server %s", err)

traefik.sample.toml

@@ -37,10 +37,12 @@
 #
 # logLevel = "ERROR"
 
-# SSL certificate and key used
+# SSL certificates and keys
+# You may add several certificate/key pairs to terminate HTTPS for multiple domain names using TLS SNI
 #
 # Optional
 #
+# [[certificates]]
 # CertFile = "traefik.crt"
 # KeyFile = "traefik.key"
 
@@ -140,6 +142,8 @@
 
 # Enable docker TLS connection
 #
+# Optional
+#
 #  [docker.tls]
 #  ca = "/etc/ssl/ca.crt"
 #  cert = "/etc/ssl/docker.crt"
@@ -190,6 +194,14 @@
 #
 # filename = "marathon.tmpl"
 
+# Enable Marathon basic authentication
+#
+# Optional
+#
+#  [marathon.basic]
+#  httpBasicAuthUser = "foo"
+#  httpBasicPassword = "bar"
+
 
 ################################################################
 # Consul KV configuration backend

web.go

@@ -19,6 +19,7 @@ import (
 type WebProvider struct {
 	Address           string
 	CertFile, KeyFile string
+	ReadOnly          bool
 }
 
 var (
@@ -40,6 +41,11 @@ func (provider *WebProvider) Provide(configurationChan chan<- types.ConfigMessag
 	systemRouter.Methods("GET").Path("/api/providers").HandlerFunc(getConfigHandler)
 	systemRouter.Methods("GET").Path("/api/providers/{provider}").HandlerFunc(getProviderHandler)
 	systemRouter.Methods("PUT").Path("/api/providers/{provider}").HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
+		if provider.ReadOnly {
+			response.WriteHeader(http.StatusForbidden)
+			fmt.Fprintf(response, "REST API is in read-only mode")
+			return
+		}
 		vars := mux.Vars(request)
 		if vars["provider"] != "web" {
 			response.WriteHeader(http.StatusBadRequest)