Prepare release v1.7.20

Truncate key for identification in log
Add a warning note regarding optional TLS mutual auth
2019-12-10 17:50:05 +01:00 · 2019-12-09 11:50:06 +01:00 · 2019-11-27 17:18:05 +01:00 · 2019-11-18 14:28:06 +01:00
7 changed files with 39 additions and 10 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,15 @@
 # Change Log

+## [v1.7.20](https://github.com/containous/traefik/tree/v1.7.20) (2019-12-09)
+[All Commits](https://github.com/containous/traefik/compare/v1.7.19...v1.7.20)
+
+**Bug fixes:**
+- **[acme]** Truncate key for identification in log ([#5941](https://github.com/containous/traefik/pull/5941) by [dtomcej](https://github.com/dtomcej))
+- **[middleware]** fix: location header rewrite. ([#5857](https://github.com/containous/traefik/pull/5857) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- Add a warning note regarding optional TLS mutual auth ([#5434](https://github.com/containous/traefik/pull/5434) by [bradjones1](https://github.com/bradjones1))
+
 ## [v1.7.19](https://github.com/containous/traefik/tree/v1.7.19) (2019-10-25)
 [All Commits](https://github.com/containous/traefik/compare/v1.7.18...v1.7.19)

--- a/Gopkg.lock
+++ b/Gopkg.lock
@@ -1915,12 +1915,12 @@
  revision = "50716a0a853771bb36bfce61a45cdefdb98c2e6e"

 [[projects]]
-  branch = "v1"
-  digest = "1:819d4566276aed820b412b7e72683edfe99f53d2ac54e5b13eda197b523a369b"
+  digest = "1:649756d307b6d8ddb369d1cca0465b679aa7d1a956ddfa8eb18f8072a1a2b7a4"
  name = "github.com/unrolled/secure"
  packages = ["."]
  pruneopts = "NUT"
-  revision = "232c938a6a69cfd83e26e2bfe100a20486d3a9a0"
+  revision = "996bc0cd7e5be6e6a1c5f34b0259bc47c8bcfbc9"
+  version = "v1.0.5"

 [[projects]]
  digest = "1:e84e99d5f369afaa9a5c41f55b57fa03047ecd3bac2a65861607882693ceea81"
--- a/Gopkg.toml
+++ b/Gopkg.toml
@@ -167,8 +167,8 @@
  version = "1.1.0"

 [[constraint]]
-  branch = "v1"
  name = "github.com/unrolled/secure"
+  version = "1.0.5"

 [[constraint]]
  name = "github.com/vdemeester/shakers"
--- a/acme/account.go
+++ b/acme/account.go
@@ -111,7 +111,12 @@ func (a *Account) GetPrivateKey() crypto.PrivateKey {
 		return privateKey
 	}

-	log.Errorf("Cannot unmarshall private key %+v", a.PrivateKey)
+	keySnippet := ""
+	if len(a.PrivateKey) >= 16 {
+		keySnippet = string(a.PrivateKey[:16])
+	}
+
+	log.Errorf("Cannot unmarshall private key beginning with %s", keySnippet)
 	return nil
 }

--- a/docs/configuration/entrypoints.md
+++ b/docs/configuration/entrypoints.md
@@ -239,11 +239,14 @@ TLS Mutual Authentication can be `optional` or not.
 * If `optional = true`, if a certificate is provided, verifies if it is signed by a specified Certificate Authority (CA). Otherwise proceeds without any certificate.
 * If `optional = false`, Traefik will only accept clients that present a certificate signed by a specified Certificate Authority (CA).

+!!! warning
+    While the TLS [1.1](https://tools.ietf.org/html/rfc4346#section-7.4.6) and [1.2](https://tools.ietf.org/html/rfc5246#section-7.4.6) RFCs specify that clients should proceed with handshaking by sending an empty list should they have no certs for the CAs specified by the server, not all do so in practice.
+    Use this feature with caution should you require maximum compatibility with a wide variety of client user agents which may not strictly implement these specs.
+
 `ClientCAFiles` can be configured with multiple `CA:s` in the same file or use multiple files containing one or several `CA:s`.
 The `CA:s` has to be in PEM format.

-By default, `ClientCAFiles` is not optional, all clients will be required to present a valid cert.
-The requirement will apply to all server certs in the entrypoint.
+By default, `ClientCAFiles` is not optional, all clients will be required to present a valid cert. The requirement will apply to all server certs in the entrypoint.

 In the example below both `snitest.com` and `snitest.org` will require client certs

--- a/provider/acme/account.go
+++ b/provider/acme/account.go
@@ -57,7 +57,12 @@ func (a *Account) GetPrivateKey() crypto.PrivateKey {
 		return privateKey
 	}

-	log.Errorf("Cannot unmarshal private key %+v", a.PrivateKey)
+	keySnippet := ""
+	if len(a.PrivateKey) >= 16 {
+		keySnippet = string(a.PrivateKey[:16])
+	}
+
+	log.Errorf("Cannot unmarshall private key beginning with %s", keySnippet)
 	return nil
 }

--- a/vendor/github.com/unrolled/secure/secure.go
+++ b/vendor/github.com/unrolled/secure/secure.go
@@ -437,9 +437,15 @@ func (s *Secure) isSSL(r *http.Request) bool {
 // Used by http.ReverseProxy.
 func (s *Secure) ModifyResponseHeaders(res *http.Response) error {
 	if res != nil && res.Request != nil {
-		// Fix Location response header http to https when SSL is enabled.
+		// Fix Location response header http to https:
+		// When SSL is enabled,
+		// And SSLHost is defined,
+		// And the response location header includes the SSLHost as the domain with a trailing slash,
+		// Or an exact match to the SSLHost.
 		location := res.Header.Get("Location")
-		if s.isSSL(res.Request) && strings.Contains(location, "http:") {
+		if s.isSSL(res.Request) &&
+			len(s.opt.SSLHost) > 0 &&
+			(strings.HasPrefix(location, fmt.Sprintf("http://%s/", s.opt.SSLHost)) || location == fmt.Sprintf("http://%s", s.opt.SSLHost)) {
 			location = strings.Replace(location, "http:", "https:", 1)
 			res.Header.Set("Location", location)
 		}
Author	SHA1	Message	Date
Ludovic Fernandez	a8393faf0a	Prepare release v1.7.20	2019-12-10 17:50:05 +01:00
Daniel Tomcej	4b8ece5b42	Truncate key for identification in log	2019-12-09 11:50:06 +01:00
Brad Jones	7574bb9226	Add a warning note regarding optional TLS mutual auth	2019-11-27 17:18:05 +01:00
Ludovic Fernandez	f68b629469	fix: location header rewrite. Co-authored-by: Daniel Tomcej <daniel.tomcej@gmail.com>	2019-11-18 14:28:06 +01:00