README
¶
Log4Shell Mitigation
Log4Shell is a middleware plugin for Traefik which blocks JNDI attacks based on HTTP header values.
Related to the Log4J CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
Configuration
Static
--pilot.token=xxx
--experimental.plugins.log4shell.modulename=github.com/traefik/plugin-log4shell
--experimental.plugins.log4shell.version=v0.1.2
pilot:
token: xxx
experimental:
plugins:
log4shell:
modulename: github.com/traefik/plugin-log4shell
version: v0.1.2
[pilot]
token = "xxx"
[experimental.plugins.log4shell]
modulename = "github.com/traefik/plugin-log4shell"
version = "v0.1.2"
Dynamic
To configure the Log4Shell plugin you should create a middleware in your dynamic configuration as explained here.
File
http:
middlewares:
log4shell-foo:
plugin:
log4shell:
errorCode: 200
routers:
my-router:
rule: Host(`localhost`)
middlewares:
- log4shell-foo
service: my-service
services:
my-service:
loadBalancer:
servers:
- url: 'http://127.0.0.1'
[http.middlewares]
[http.middlewares.log4shell-foo.plugin.log4shell]
errorCode = 200
[http.routers]
[http.routers.my-router]
rule = "Host(`localhost`)"
middlewares = ["log4shell-foo"]
service = "my-service"
[http.services]
[http.services.my-service]
[http.services.my-service.loadBalancer]
[[http.services.my-service.loadBalancer.servers]]
url = "http://127.0.0.1"
Kubernetes
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: log4shell-foo
spec:
plugin:
log4shell:
errorCode: 200
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: whoami
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`whoami.example.com`)
middlewares:
- name: log4shell-foo
services:
- kind: Service
name: whoami-svc
port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: log4shell-foo
spec:
plugin:
log4shell:
errorCode: secretName
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myingress
annotations:
traefik.ingress.kubernetes.io/router.middlewares: default-log4shell-foo@kubernetescrd
spec:
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: whoami
port:
number: 80
Docker
version: '3.7'
services:
whoami:
image: traefik/whoami:v1.7.1
labels:
traefik.enable: 'true'
traefik.http.routers.app.rule: Host(`whoami.localhost`)
traefik.http.routers.app.entrypoints: websecure
traefik.http.routers.app.middlewares: log4shell-foo
traefik.http.middlewares.log4shell-foo.plugin.log4shell.errorcode: 200
Documentation
¶
Index ¶
Constants ¶
View Source
const ( Start = "START" End = "END" Content = "CONTENT" Separator = "SEP" )
Token types.
View Source
const ( Expression = "EXP" Text = "TXT" Root = "ROOT" )
Node types.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Config ¶
type Config struct {
ErrorCode int `json:"errorCode"`
}
Config the plugin configuration.
func CreateConfig ¶
func CreateConfig() *Config
CreateConfig creates the default plugin configuration.
type Log4J ¶
type Log4J struct {
ErrorCode int
// contains filtered or unexported fields
}
Log4J a plugin.
type Node ¶
Node a node.
func Parse ¶
Parse naively parses Log4j expression. https://logging.apache.org/log4j/2.x/manual/configuration.html#PropertySubstitution
Source Files
Click to show internal directories.
Click to hide internal directories.