github chr0nzz/traefik-manager v1.7.0

4 hours ago

v1.7.0

Security

  • Traefik security advisory warnings - Traefik Manager now checks the running Traefik version against a list of known security advisories and shows a warning when your Traefik is affected, with extra urgency when a forwardAuth middleware is in use. Covers CVE-2026-39858 (ForwardAuth/header-alias authentication bypass; fixed in Traefik 2.11.43 / 3.6.14 / 3.7.0-rc.2). Works for the Host and remote agents.
  • underscoreHeadersStrategy entry point option - the Static Config entry point editor can now set http.underscoreHeadersStrategy (Keep / Delete / Reject) to stop underscore header aliases (e.g. X_Auth_User) from bypassing forwardAuth on backends that treat dashes and underscores the same. The option is only offered when the running Traefik supports it (3.6.20 / 3.7.6+).
  • Entry point editor no longer drops unmanaged keys - editing an entry point in the Static Config editor now merges into the existing definition instead of rebuilding it, so hand-added keys (like underscoreHeadersStrategy or transport settings) are preserved.
  • Encoded Characters middleware - new middleware wizard template for Traefik's encodedCharacters middleware (Traefik 3.7+), which rejects ambiguous percent-encoded path characters.
  • ForwardAuth response size limit - the forwardAuth wizards (including Authentik, Authelia, and Gatekeeper) now expose maxResponseBodySize to cap the auth server's response body (Traefik 3.7+).
  • New Security hardening documentation page covering these options and the header-alias attack.
  • OIDC stays enforced when built-in authentication is disabled (fixes #95) - previously, turning off the password login disabled all web-UI authentication even with OIDC configured, leaving the interface public. OIDC is now an independent mechanism: disabling built-in auth only hides the password form and makes OIDC the sole login. API keys keep working in every mode (the mobile app is unaffected), the password hash is preserved for manager.yml recovery if the provider becomes unreachable, and a warning is shown in the app, in Settings, and at startup when no authentication is active.

Security audit hardening

A full security audit was run over the host app, the Go agent, and the installer. The following were hardened for this release (host and agents):

  • Git backup transport is locked to real remotes - the repository URL is now validated to https://, http://, ssh://, or git:// before any git command runs, and git is invoked with protocol.ext/protocol.file/protocol.fd disabled. This blocks ext::, file://, and fd:: transport tricks that could have run local commands via a crafted backup URL.
  • Git credentials are never persisted or echoed - the access token is supplied to git through GIT_ASKPASS instead of being embedded in the remote URL, so it no longer lands in .git/config or process arguments, and it is redacted from any error message surfaced in the UI.
  • Settings responses no longer expose secrets - the /api/settings payload strips the OIDC client secret, CrowdSec keys, Traefik API password, git token, webhook password, encrypted TOTP secret, and per-agent credentials. These write-only fields are never returned to the browser or mobile app.
  • OIDC access is default-deny - when neither an email nor a group allow-list is configured, logins are rejected unless you explicitly opt in with Allow any authenticated user. Previously an empty allow-list admitted any account from the identity provider.
  • Server-side request forgery guard - the connection-test, webhook-test, ping, and OIDC-discovery fetchers reject link-local, multicast, and cloud metadata addresses (e.g. 169.254.169.254), while still allowing the private and loopback targets a self-hosted proxy legitimately needs.
  • Open-redirect fix - the post-login next redirect only accepts same-site paths, so a crafted login link can no longer bounce you to an external site.
  • Config file reads are path-scoped - the static-config, logs, and certificate read endpoints resolve paths against the allowed config directories only, preventing arbitrary file reads.
  • Additional CSRF coverage - the TLS-options save/delete and notification-settings endpoints now require a CSRF token like every other state-changing route.
  • Output escaping - the route details panel escapes all values before rendering, closing a stored-XSS path from crafted router/service names.
  • Agent hardening - the Go agent now rate-limits before authentication (so failed-auth floods are throttled), bounds its per-IP limiter map, validates git URLs and guards config-file paths the same way, and fixed a data race in the API-key store.
  • Local key material - the session signing key and TOTP key files are written 0600, and a SECRET_KEY supplied via environment is required to be at least 32 characters.
  • Installer secret prompts are masked - the stack and agent installers read API tokens, keys, and passwords without echoing them to the terminal.

Features

  • Agents can back up to the Host's git repository - in Settings → Backups → Git with an agent active, enable Use Host Repository and pick a branch. The Host pushes that agent's dynamic and static config to the Host's repository using the Host's credentials - no GIT_BACKUP_* env vars needed on the agent. Every server pushes to its own branch (enforced - the Host branch and other agents' branches are rejected), auto-push fires on every route/middleware/config change made through TM, and history, diffs, one-click restore, and manual pushes with custom commit messages all work per agent.

Fixes

  • Route port dropped for hosts starting with "http" (fixes #96) - creating a route whose target host began with http (e.g. http_inspector, httpbin) emitted the bare hostname as the server URL and dropped the scheme and port. The builder now only treats a target as a full URL when it actually starts with http:// or https://, so http_inspector + port 3000 correctly produces http://http_inspector:3000. Applies to the Host and agents.
  • Agent git backup no longer gets stuck after the remote moves - the agent now syncs its clone to the remote before every push (like the Host does) and retries once after a rejected push, so a diverged remote self-heals instead of failing every subsequent backup.
  • Host git push retries once on rejection - if another writer pushes between the Host's sync and push, the push is retried after a re-sync instead of surfacing a transient error for a backup that then succeeds.
  • Spurious "failed" errors and settings corruption on concurrent saves - settings and config writes used a fixed temporary file name, so two simultaneous requests (across gunicorn workers) could collide and report an error even though the save succeeded, and the shared YAML engine was not thread-safe, which could corrupt manager.yml under concurrent requests. Temporary files are now unique per process and thread, the YAML engine is thread-local, and interrupted writes are cleaned up.
  • Stale git panel when switching servers - opening Settings → Backups → Git on the Host and then switching to an agent kept showing the Host's git settings form. The panel now refreshes when the backups view loads.
  • Git restore used the wrong paths - restore read files from the repository root while pushes write to dynamic/ and static/, so restoring a commit could silently restore nothing. Restore now reads the correct paths (with a fallback for repositories from older layouts).
  • Docs: pointing multiple servers (Host or agents) at the same git repository and branch is now explicitly warned against - every server pushes to the same dynamic/ and static/ paths and they overwrite each other. Use a separate repository or a branch per server.

Don't miss a new traefik-manager release

NewReleases is sending notifications on new releases.