From 316be0782cc4c4b70712057db16e5182c6dda93b Mon Sep 17 00:00:00 2001 From: Sheddy Date: Fri, 18 Apr 2025 07:12:04 +0100 Subject: [PATCH 1/3] Add content-length best practice documentation --- docs/content/middlewares/http/buffering.md | 4 ++++ .../security/best-practices/content-length.md | 24 +++++++++++++++++++ docs/mkdocs.yml | 4 ++++ 3 files changed, 32 insertions(+) create mode 100644 docs/content/security/best-practices/content-length.md diff --git a/docs/content/middlewares/http/buffering.md b/docs/content/middlewares/http/buffering.md index 56e88514b..47c7d3022 100644 --- a/docs/content/middlewares/http/buffering.md +++ b/docs/content/middlewares/http/buffering.md @@ -331,3 +331,7 @@ The retry expression is defined as a logical combination of the functions below - `Attempts()` number of attempts (the first one counts) - `ResponseCode()` response code of the service - `IsNetworkError()` whether the response code is related to networking error + +### Content-Length + +See [Best Practices: Content‑Length](../../security/best-practices/content-length.md) \ No newline at end of file diff --git a/docs/content/security/best-practices/content-length.md b/docs/content/security/best-practices/content-length.md new file mode 100644 index 000000000..e09c62b6d --- /dev/null +++ b/docs/content/security/best-practices/content-length.md @@ -0,0 +1,24 @@ +--- +title: "Content-Length" +description: "Enforce strict Content‑Length validation in Traefik by streaming or full buffering to prevent truncated or over‑long requests and responses. Read the technical documentation." +--- + +Traefik acts as a streaming proxy. By default, it checks each chunk of data against the `Content-Length` header as it passes it on to the backend or client. This live check blocks truncated or over‑long streams without holding the entire message. + +If you need Traefik to read and verify the full body before any data moves on, add the [buffering middleware](../../reference/routing-configuration/http/middlewares/buffering.md): + +```yaml +http: + middlewares: + buffer-and-validate: + buffering: {} +``` + +With buffering enabled, Traefik will: + +- Read the entire request or response into memory. +- Compare the actual byte count to the `Content-Length` header. +- Reject the message if the counts do not match. + +!!!warning + Buffering adds overhead. Every request and response is held in full before forwarding, which can increase memory use and latency. Use it when strict content validation is critical to your security posture. diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml index 677244561..f6ac2d1d7 100644 --- a/docs/mkdocs.yml +++ b/docs/mkdocs.yml @@ -165,6 +165,10 @@ nav: - 'Instana': 'observability/tracing/instana.md' - 'Haystack': 'observability/tracing/haystack.md' - 'Elastic': 'observability/tracing/elastic.md' + - 'OpenTelemetry': 'observability/tracing/opentelemetry.md' + - 'Security': + - 'Best Practices': + - 'security/best-practices/content-length.md' - 'User Guides': - 'Kubernetes and Let''s Encrypt': 'user-guides/crd-acme/index.md' - 'gRPC Examples': 'user-guides/grpc.md' From 8816cb86a4425dfa90adf01312a6b6e4d73e2792 Mon Sep 17 00:00:00 2001 From: Romain Date: Fri, 18 Apr 2025 09:34:04 +0200 Subject: [PATCH 2/3] Prepare release v2.11.24 --- CHANGELOG.md | 11 +++++++++-- script/gcg/traefik-bugfix.toml | 6 +++--- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 89796db19..80a19819d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,17 +1,24 @@ -## [v2.11.23](https://github.com/traefik/traefik/tree/v2.11.23) (2025-04-17) -[All Commits](https://github.com/traefik/traefik/compare/v2.11.22...v2.11.23) +## [v2.11.24](https://github.com/traefik/traefik/tree/v2.11.24) (2025-04-18) +[All Commits](https://github.com/traefik/traefik/compare/v2.11.22...v2.11.24) **Bug fixes:** - **[acme]** Bump github.com/go-acme/lego/v4 to v4.23.1 ([#11690](https://github.com/traefik/traefik/pull/11690) by [ldez](https://github.com/ldez)) - **[metrics]** Bump gopkg.in/DataDog/dd-trace-go.v1 to v1.72.2 ([#11693](https://github.com/traefik/traefik/pull/11693) by [kevinpollet](https://github.com/kevinpollet)) - **[middleware]** Add Content-Length header to preflight response ([#11682](https://github.com/traefik/traefik/pull/11682) by [lbenguigui](https://github.com/lbenguigui)) - **[server]** Sanitize request path ([#11684](https://github.com/traefik/traefik/pull/11684) by [rtribotte](https://github.com/rtribotte)) +- Bump github.com/redis/go-redis/v9 to v9.7.3 ([#11695](https://github.com/traefik/traefik/pull/11695) by [kevinpollet](https://github.com/kevinpollet)) - Bump golang.org/x/net to v0.38.0 ([#11691](https://github.com/traefik/traefik/pull/11691) by [kevinpollet](https://github.com/kevinpollet)) - Bump golang.org/x/oauth2 to v0.28.0 ([#11689](https://github.com/traefik/traefik/pull/11689) by [rtribotte](https://github.com/rtribotte)) **Documentation:** +- **[middleware]** Add content-length best practice documentation ([#11697](https://github.com/traefik/traefik/pull/11697) by [sheddy-traefik](https://github.com/sheddy-traefik)) - Typo fix on the Explanation Section for User Guide HTTP Challenge. ([#11676](https://github.com/traefik/traefik/pull/11676) by [YapWC](https://github.com/YapWC)) +## [v2.11.23](https://github.com/traefik/traefik/tree/v2.11.23) (2025-04-17) +[All Commits](https://github.com/traefik/traefik/compare/v2.11.22...v2.11.23) + +Release canceled. + ## [v2.11.22](https://github.com/traefik/traefik/tree/v2.11.22) (2025-03-31) [All Commits](https://github.com/traefik/traefik/compare/v2.11.21...v2.11.22) diff --git a/script/gcg/traefik-bugfix.toml b/script/gcg/traefik-bugfix.toml index 41d55a223..798164f4f 100644 --- a/script/gcg/traefik-bugfix.toml +++ b/script/gcg/traefik-bugfix.toml @@ -4,11 +4,11 @@ RepositoryName = "traefik" OutputType = "file" FileName = "traefik_changelog.md" -# example new bugfix v2.11.23 +# example new bugfix v2.11.24 CurrentRef = "v2.11" -PreviousRef = "v2.11.22" +PreviousRef = "v2.11.23" BaseBranch = "v2.11" -FutureCurrentRefName = "v2.11.23" +FutureCurrentRefName = "v2.11.24" ThresholdPreviousRef = 10 ThresholdCurrentRef = 10 From 160edff2573e77cca4b9a4a7b234ce3d0ba53065 Mon Sep 17 00:00:00 2001 From: Romain Date: Fri, 18 Apr 2025 10:42:04 +0200 Subject: [PATCH 3/3] Change version for path sanitization migration guide --- docs/content/migration/v2.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/migration/v2.md b/docs/content/migration/v2.md index d56767071..cfffaadfd 100644 --- a/docs/content/migration/v2.md +++ b/docs/content/migration/v2.md @@ -657,11 +657,11 @@ Please check out the [entrypoint forwarded headers connection option configurati In `v2.11.14`, the `X-Forwarded-Prefix` header is now handled like the other `X-Forwarded-*` headers: Traefik removes it when it's sent from an untrusted source. Please refer to the Forwarded headers [documentation](../routing/entrypoints.md#forwarded-headers) for more details. -## v2.11.23 +## v2.11.24 ### Request Path Sanitization -Since `v2.11.23`, the incoming request path is now cleaned before being used to match the router rules and sent to the backends. +Since `v2.11.24`, the incoming request path is now cleaned before being used to match the router rules and sent to the backends. Any `/../`, `/./` or duplicate slash segments in the request path is interpreted and/or collapsed. If you want to disable this behavior, you can set the [`sanitizePath` option](../routing/entrypoints.md#sanitizepath) to `false` in the entryPoint HTTP configuration.