CNAME flattening

Gopkg.lock

@@ -1000,6 +1000,12 @@
   packages = ["ovh"]
   revision = "91b7eb631d2eced3e706932a0b36ee8b5ee22e92"
 
+[[projects]]
+  name = "github.com/patrickmn/go-cache"
+  packages = ["."]
+  revision = "a3647f8e31d79543b2d0f0ae2fe5c379d72cedc0"
+  version = "v2.1.0"
+
 [[projects]]
   branch = "master"
   name = "github.com/petar/GoLLRB"

Gopkg.toml

@@ -257,6 +257,10 @@
   go-tests = true
   unused-packages = true
 
+[[constraint]]
+  name = "github.com/patrickmn/go-cache"
+  version = "2.1.0"
+
 [[constraint]]
   name = "gopkg.in/DataDog/dd-trace-go.v1"
   version = "1.0.0"

cmd/configuration.go

@@ -269,6 +269,12 @@ func NewTraefikDefaultPointersConfiguration() *TraefikConfiguration {
 		},
 	}
 
+	defaultResolver := configuration.HostResolverConfig{
+		CnameFlattening: false,
+		ResolvConfig:    "/etc/resolv.conf",
+		ResolvDepth:     5,
+	}
+
 	defaultConfiguration := configuration.GlobalConfiguration{
 		Docker:             &defaultDocker,
 		File:               &defaultFile,
@@ -297,6 +303,7 @@ func NewTraefikDefaultPointersConfiguration() *TraefikConfiguration {
 		API:                &defaultAPI,
 		Metrics:            &defaultMetrics,
 		Tracing:            &defaultTracing,
+		HostResolver:       &defaultResolver,
 	}
 
 	return &TraefikConfiguration{

configuration/configuration.go

@@ -104,6 +104,7 @@ type GlobalConfiguration struct {
 	API                       *api.Handler            `description:"Enable api/dashboard" export:"true"`
 	Metrics                   *types.Metrics          `description:"Enable a metrics exporter" export:"true"`
 	Ping                      *ping.Handler           `description:"Enable ping" export:"true"`
+	HostResolver              *HostResolverConfig     `description:"Enable CNAME Flattening" export:"true"`
 }
 
 // WebCompatibility is a configuration to handle compatibility with deprecated web provider options
@@ -519,3 +520,10 @@ type LifeCycle struct {
 	RequestAcceptGraceTimeout flaeg.Duration `description:"Duration to keep accepting requests before Traefik initiates the graceful shutdown procedure"`
 	GraceTimeOut              flaeg.Duration `description:"Duration to give active requests a chance to finish before Traefik stops"`
 }
+
+// HostResolverConfig contain configuration for CNAME Flattening
+type HostResolverConfig struct {
+	CnameFlattening bool   `description:"A flag to enable/disable CNAME flattening" export:"true"`
+	ResolvConfig    string `description:"resolv.conf used for DNS resolving" export:"true"`
+	ResolvDepth     int    `description:"The maximal depth of DNS recursive resolving" export:"true"`
+}

docs/configuration/commons.md

@@ -416,6 +416,38 @@ If no units are provided, the value is parsed assuming seconds.
 idleTimeout = "360s"
 ```
 
+## Host Resolver
+
+`hostResolver` are used for request host matching process.
+
+```toml
+[hostResolver]
+
+# cnameFlattening is a trigger to flatten request host, assuming it is a CNAME record
+#
+# Optional
+# Default : false
+#
+cnameFlattening = true
+
+# resolvConf is dns resolving configuration file, the default is /etc/resolv.conf
+#
+# Optional
+# Default : "/etc/resolv.conf"
+#
+# resolvConf = "/etc/resolv.conf"
+
+# resolvDepth is the maximum CNAME recursive lookup
+#
+# Optional
+# Default : 5
+#
+# resolvDepth = 5
+```
+
+- To allow serving secure https request and generate the SSL using ACME while `cnameFlattening` is active. 
+The `acme` configuration for `HTTP-01` challenge and `onDemand` is mandatory. 
+Refer to [ACME configuration](/configuration/acme) for more information.
 
 ## Override Default Configuration Template
 

hostresolver/hostresolver.go

@@ -0,0 +1,121 @@
+package hostresolver
+
+import (
+	"fmt"
+	"net"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/containous/traefik/log"
+	"github.com/miekg/dns"
+	"github.com/patrickmn/go-cache"
+)
+
+type cnameResolv struct {
+	TTL    time.Duration
+	Record string
+}
+
+type byTTL []*cnameResolv
+
+func (a byTTL) Len() int           { return len(a) }
+func (a byTTL) Swap(i, j int)      { a[i], a[j] = a[j], a[i] }
+func (a byTTL) Less(i, j int) bool { return a[i].TTL > a[j].TTL }
+
+// Resolver used for host resolver
+type Resolver struct {
+	CnameFlattening bool
+	ResolvConfig    string
+	ResolvDepth     int
+	cache           *cache.Cache
+}
+
+// CNAMEFlatten check if CNAME record exists, flatten if possible
+func (hr *Resolver) CNAMEFlatten(host string) (string, string) {
+	if hr.cache == nil {
+		hr.cache = cache.New(30*time.Minute, 5*time.Minute)
+	}
+
+	result := []string{host}
+	request := host
+
+	value, found := hr.cache.Get(host)
+	if found {
+		result = strings.Split(value.(string), ",")
+	} else {
+		var cacheDuration = 0 * time.Second
+
+		for depth := 0; depth < hr.ResolvDepth; depth++ {
+			resolv, err := cnameResolve(request, hr.ResolvConfig)
+			if err != nil {
+				log.Error(err)
+				break
+			}
+			if resolv == nil {
+				break
+			}
+
+			result = append(result, resolv.Record)
+			if depth == 0 {
+				cacheDuration = resolv.TTL
+			}
+			request = resolv.Record
+		}
+
+		hr.cache.Add(host, strings.Join(result, ","), cacheDuration)
+	}
+
+	return result[0], result[len(result)-1]
+}
+
+// cnameResolve resolves CNAME if exists, and return with the highest TTL
+func cnameResolve(host string, resolvPath string) (*cnameResolv, error) {
+	config, err := dns.ClientConfigFromFile(resolvPath)
+	if err != nil {
+		return nil, fmt.Errorf("invalid resolver configuration file: %s", resolvPath)
+	}
+
+	client := &dns.Client{Timeout: 30 * time.Second}
+
+	m := &dns.Msg{}
+	m.SetQuestion(dns.Fqdn(host), dns.TypeCNAME)
+
+	var result []*cnameResolv
+	for _, server := range config.Servers {
+		tempRecord, err := getRecord(client, m, server, config.Port)
+		if err != nil {
+			log.Errorf("Failed to resolve host %s: %v", host, err)
+			continue
+		}
+		result = append(result, tempRecord)
+	}
+
+	if len(result) <= 0 {
+		return nil, nil
+	}
+
+	sort.Sort(byTTL(result))
+	return result[0], nil
+}
+
+func getRecord(client *dns.Client, msg *dns.Msg, server string, port string) (*cnameResolv, error) {
+	resp, _, err := client.Exchange(msg, net.JoinHostPort(server, port))
+	if err != nil {
+		return nil, fmt.Errorf("exchange error for server %s: %v", server, err)
+	}
+
+	if resp == nil || len(resp.Answer) == 0 {
+		return nil, fmt.Errorf("empty answer for server %s", server)
+	}
+
+	rr, ok := resp.Answer[0].(*dns.CNAME)
+	if !ok {
+		return nil, fmt.Errorf("invalid response type for server %s", server)
+	}
+
+	return &cnameResolv{
+		TTL:    time.Duration(rr.Hdr.Ttl) * time.Second,
+		Record: strings.TrimSuffix(rr.Target, "."),
+	}, nil
+}

hostresolver/hostresolver_test.go

@@ -0,0 +1,61 @@
+package hostresolver
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCNAMEFlatten(t *testing.T) {
+	testCase := []struct {
+		desc           string
+		resolvFile     string
+		domain         string
+		expectedDomain string
+		isCNAME        bool
+	}{
+		{
+			desc:           "host request is CNAME record",
+			resolvFile:     "/etc/resolv.conf",
+			domain:         "www.github.com",
+			expectedDomain: "github.com",
+			isCNAME:        true,
+		},
+		{
+			desc:           "resolve file not found",
+			resolvFile:     "/etc/resolv.oops",
+			domain:         "www.github.com",
+			expectedDomain: "www.github.com",
+			isCNAME:        false,
+		},
+		{
+			desc:           "host request is not CNAME record",
+			resolvFile:     "/etc/resolv.conf",
+			domain:         "github.com",
+			expectedDomain: "github.com",
+			isCNAME:        false,
+		},
+	}
+
+	for _, test := range testCase {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			hostResolver := &Resolver{
+				ResolvConfig: test.resolvFile,
+				ResolvDepth:  5,
+			}
+
+			reqH, flatH := hostResolver.CNAMEFlatten(test.domain)
+			assert.Equal(t, test.domain, reqH)
+			assert.Equal(t, test.expectedDomain, flatH)
+
+			if test.isCNAME {
+				assert.NotEqual(t, test.expectedDomain, reqH)
+			} else {
+				assert.Equal(t, test.expectedDomain, reqH)
+			}
+		})
+	}
+}

integration/fixtures/simple_hostresolver.toml

@@ -0,0 +1,16 @@
+logLevel = "DEBUG"
+defaultEntryPoints = ["http"]
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":8000"
+
+[api]
+
+[docker]
+exposedByDefault = false
+domain = "docker.local"
+watch = true
+
+[hostResolver]
+cnameFlattening = true

integration/hostresolver_test.go

@@ -0,0 +1,54 @@
+package integration
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/containous/traefik/integration/try"
+	"github.com/go-check/check"
+	checker "github.com/vdemeester/shakers"
+)
+
+type HostResolverSuite struct{ BaseSuite }
+
+func (s *HostResolverSuite) SetUpSuite(c *check.C) {
+	s.createComposeProject(c, "hostresolver")
+
+	s.composeProject.Start(c)
+	s.composeProject.Container(c, "server1")
+}
+
+func (s *HostResolverSuite) TestSimpleConfig(c *check.C) {
+	cmd, display := s.traefikCmd(withConfigFile("fixtures/simple_hostresolver.toml"))
+	defer display(c)
+
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	testCase := []struct {
+		desc   string
+		host   string
+		status int
+	}{
+		{
+			desc:   "host request is resolved",
+			host:   "www.github.com",
+			status: http.StatusOK,
+		},
+		{
+			desc:   "host request is not resolved",
+			host:   "frontend.docker.local",
+			status: http.StatusNotFound,
+		},
+	}
+
+	for _, test := range testCase {
+		req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
+		c.Assert(err, checker.IsNil)
+		req.Host = test.host
+
+		err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(test.status), try.HasBody())
+		c.Assert(err, checker.IsNil)
+	}
+}

integration/integration_test.go

@@ -51,6 +51,7 @@ func init() {
 		check.Suite(&FileSuite{})
 		check.Suite(&GRPCSuite{})
 		check.Suite(&HealthCheckSuite{})
+		check.Suite(&HostResolverSuite{})
 		check.Suite(&HTTPSSuite{})
 		check.Suite(&LogRotationSuite{})
 		check.Suite(&MarathonSuite{})

integration/resources/compose/hostresolver.yml

@@ -0,0 +1,8 @@
+server1:
+  image: emilevauge/whoami
+  labels:
+    - traefik.enable=true
+    - traefik.port=80
+    - traefik.backend=backend1
+    - traefik.frontend.entryPoints=http
+    - traefik.frontend.rule=Host:github.com

rules/rules.go

@@ -11,13 +11,16 @@ import (
 
 	"github.com/BurntSushi/ty/fun"
 	"github.com/containous/mux"
+	"github.com/containous/traefik/hostresolver"
+	"github.com/containous/traefik/log"
 	"github.com/containous/traefik/types"
 )
 
 // Rules holds rule parsing and configuration
 type Rules struct {
-	Route *types.ServerRoute
-	err   error
+	Route        *types.ServerRoute
+	err          error
+	HostResolver *hostresolver.Resolver
 }
 
 func (r *Rules) host(hosts ...string) *mux.Route {
@@ -26,6 +29,19 @@ func (r *Rules) host(hosts ...string) *mux.Route {
 		if err != nil {
 			reqHost = req.Host
 		}
+
+		if r.HostResolver != nil && r.HostResolver.CnameFlattening {
+			reqH, flatH := r.HostResolver.CNAMEFlatten(types.CanonicalDomain(reqHost))
+			for _, host := range hosts {
+				if types.CanonicalDomain(reqH) == types.CanonicalDomain(host) ||
+					types.CanonicalDomain(flatH) == types.CanonicalDomain(host) {
+					return true
+				}
+				log.Debugf("CNAMEFlattening: request %s which resolved to %s, is not matched to route %s", reqH, flatH, host)
+			}
+			return false
+		}
+
 		for _, host := range hosts {
 			if types.CanonicalDomain(reqHost) == types.CanonicalDomain(host) {
 				return true

server/server_configuration.go

@@ -13,6 +13,7 @@ import (
 	"github.com/containous/mux"
 	"github.com/containous/traefik/configuration"
 	"github.com/containous/traefik/healthcheck"
+	"github.com/containous/traefik/hostresolver"
 	"github.com/containous/traefik/log"
 	"github.com/containous/traefik/metrics"
 	"github.com/containous/traefik/middlewares"
@@ -136,6 +137,7 @@ func (s *Server) loadFrontendConfig(
 ) ([]handlerPostConfig, error) {
 
 	frontend := config.Frontends[frontendName]
+	hostResolver := buildHostResolver(s.globalConfiguration)
 
 	if len(frontend.EntryPoints) == 0 {
 		return nil, fmt.Errorf("no entrypoint defined for frontend %s", frontendName)
@@ -202,7 +204,7 @@ func (s *Server) loadFrontendConfig(
 				frontend.Backend, entryPointName, providerName, frontendName, frontendHash)
 		}
 
-		serverRoute, err := buildServerRoute(serverEntryPoints[entryPointName], frontendName, frontend)
+		serverRoute, err := buildServerRoute(serverEntryPoints[entryPointName], frontendName, frontend, hostResolver)
 		if err != nil {
 			return nil, err
 		}
@@ -261,12 +263,12 @@ func (s *Server) buildForwarder(entryPointName string, entryPoint *configuration
 	return fwd, nil
 }
 
-func buildServerRoute(serverEntryPoint *serverEntryPoint, frontendName string, frontend *types.Frontend) (*types.ServerRoute, error) {
+func buildServerRoute(serverEntryPoint *serverEntryPoint, frontendName string, frontend *types.Frontend, hostResolver *hostresolver.Resolver) (*types.ServerRoute, error) {
 	serverRoute := &types.ServerRoute{Route: serverEntryPoint.httpRouter.GetHandler().NewRoute().Name(frontendName)}
 
 	priority := 0
 	for routeName, route := range frontend.Routes {
-		rls := rules.Rules{Route: serverRoute}
+		rls := rules.Rules{Route: serverRoute, HostResolver: hostResolver}
 		newRoute, err := rls.Parse(route.Rule)
 		if err != nil {
 			return nil, fmt.Errorf("error creating route for frontend %s: %v", frontendName, err)
@@ -582,3 +584,14 @@ func sortedFrontendNamesForConfig(configuration *types.Configuration) []string {
 	sort.Strings(keys)
 	return keys
 }
+
+func buildHostResolver(globalConfig configuration.GlobalConfiguration) *hostresolver.Resolver {
+	if globalConfig.HostResolver != nil {
+		return &hostresolver.Resolver{
+			CnameFlattening: globalConfig.HostResolver.CnameFlattening,
+			ResolvConfig:    globalConfig.HostResolver.ResolvConfig,
+			ResolvDepth:     globalConfig.HostResolver.ResolvDepth,
+		}
+	}
+	return nil
+}

vendor/github.com/patrickmn/go-cache/LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2012-2017 Patrick Mylund Nielsen and the go-cache contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

vendor/github.com/patrickmn/go-cache/sharded.go

@@ -0,0 +1,192 @@
+package cache
+
+import (
+	"crypto/rand"
+	"math"
+	"math/big"
+	insecurerand "math/rand"
+	"os"
+	"runtime"
+	"time"
+)
+
+// This is an experimental and unexported (for now) attempt at making a cache
+// with better algorithmic complexity than the standard one, namely by
+// preventing write locks of the entire cache when an item is added. As of the
+// time of writing, the overhead of selecting buckets results in cache
+// operations being about twice as slow as for the standard cache with small
+// total cache sizes, and faster for larger ones.
+//
+// See cache_test.go for a few benchmarks.
+
+type unexportedShardedCache struct {
+	*shardedCache
+}
+
+type shardedCache struct {
+	seed    uint32
+	m       uint32
+	cs      []*cache
+	janitor *shardedJanitor
+}
+
+// djb2 with better shuffling. 5x faster than FNV with the hash.Hash overhead.
+func djb33(seed uint32, k string) uint32 {
+	var (
+		l = uint32(len(k))
+		d = 5381 + seed + l
+		i = uint32(0)
+	)
+	// Why is all this 5x faster than a for loop?
+	if l >= 4 {
+		for i < l-4 {
+			d = (d * 33) ^ uint32(k[i])
+			d = (d * 33) ^ uint32(k[i+1])
+			d = (d * 33) ^ uint32(k[i+2])
+			d = (d * 33) ^ uint32(k[i+3])
+			i += 4
+		}
+	}
+	switch l - i {
+	case 1:
+	case 2:
+		d = (d * 33) ^ uint32(k[i])
+	case 3:
+		d = (d * 33) ^ uint32(k[i])
+		d = (d * 33) ^ uint32(k[i+1])
+	case 4:
+		d = (d * 33) ^ uint32(k[i])
+		d = (d * 33) ^ uint32(k[i+1])
+		d = (d * 33) ^ uint32(k[i+2])
+	}
+	return d ^ (d >> 16)
+}
+
+func (sc *shardedCache) bucket(k string) *cache {
+	return sc.cs[djb33(sc.seed, k)%sc.m]
+}
+
+func (sc *shardedCache) Set(k string, x interface{}, d time.Duration) {
+	sc.bucket(k).Set(k, x, d)
+}
+
+func (sc *shardedCache) Add(k string, x interface{}, d time.Duration) error {
+	return sc.bucket(k).Add(k, x, d)
+}
+
+func (sc *shardedCache) Replace(k string, x interface{}, d time.Duration) error {
+	return sc.bucket(k).Replace(k, x, d)
+}
+
+func (sc *shardedCache) Get(k string) (interface{}, bool) {
+	return sc.bucket(k).Get(k)
+}
+
+func (sc *shardedCache) Increment(k string, n int64) error {
+	return sc.bucket(k).Increment(k, n)
+}
+
+func (sc *shardedCache) IncrementFloat(k string, n float64) error {
+	return sc.bucket(k).IncrementFloat(k, n)
+}
+
+func (sc *shardedCache) Decrement(k string, n int64) error {
+	return sc.bucket(k).Decrement(k, n)
+}
+
+func (sc *shardedCache) Delete(k string) {
+	sc.bucket(k).Delete(k)
+}
+
+func (sc *shardedCache) DeleteExpired() {
+	for _, v := range sc.cs {
+		v.DeleteExpired()
+	}
+}
+
+// Returns the items in the cache. This may include items that have expired,
+// but have not yet been cleaned up. If this is significant, the Expiration
+// fields of the items should be checked. Note that explicit synchronization
+// is needed to use a cache and its corresponding Items() return values at
+// the same time, as the maps are shared.
+func (sc *shardedCache) Items() []map[string]Item {
+	res := make([]map[string]Item, len(sc.cs))
+	for i, v := range sc.cs {
+		res[i] = v.Items()
+	}
+	return res
+}
+
+func (sc *shardedCache) Flush() {
+	for _, v := range sc.cs {
+		v.Flush()
+	}
+}
+
+type shardedJanitor struct {
+	Interval time.Duration
+	stop     chan bool
+}
+
+func (j *shardedJanitor) Run(sc *shardedCache) {
+	j.stop = make(chan bool)
+	tick := time.Tick(j.Interval)
+	for {
+		select {
+		case <-tick:
+			sc.DeleteExpired()
+		case <-j.stop:
+			return
+		}
+	}
+}
+
+func stopShardedJanitor(sc *unexportedShardedCache) {
+	sc.janitor.stop <- true
+}
+
+func runShardedJanitor(sc *shardedCache, ci time.Duration) {
+	j := &shardedJanitor{
+		Interval: ci,
+	}
+	sc.janitor = j
+	go j.Run(sc)
+}
+
+func newShardedCache(n int, de time.Duration) *shardedCache {
+	max := big.NewInt(0).SetUint64(uint64(math.MaxUint32))
+	rnd, err := rand.Int(rand.Reader, max)
+	var seed uint32
+	if err != nil {
+		os.Stderr.Write([]byte("WARNING: go-cache's newShardedCache failed to read from the system CSPRNG (/dev/urandom or equivalent.) Your system's security may be compromised. Continuing with an insecure seed.\n"))
+		seed = insecurerand.Uint32()
+	} else {
+		seed = uint32(rnd.Uint64())
+	}
+	sc := &shardedCache{
+		seed: seed,
+		m:    uint32(n),
+		cs:   make([]*cache, n),
+	}
+	for i := 0; i < n; i++ {
+		c := &cache{
+			defaultExpiration: de,
+			items:             map[string]Item{},
+		}
+		sc.cs[i] = c
+	}
+	return sc
+}
+
+func unexportedNewSharded(defaultExpiration, cleanupInterval time.Duration, shards int) *unexportedShardedCache {
+	if defaultExpiration == 0 {
+		defaultExpiration = -1
+	}
+	sc := newShardedCache(shards, defaultExpiration)
+	SC := &unexportedShardedCache{sc}
+	if cleanupInterval > 0 {
+		runShardedJanitor(sc, cleanupInterval)
+		runtime.SetFinalizer(SC, stopShardedJanitor)
+	}
+	return SC
+}