Replace direct defers that ignored returned errors with explicit defer func() { _ = ... }() and use blank-assignment for Setenv/RemoveAll/Close to satisfy error-checking and ensure closures run. Convert several if-else chains to switch for clarity (status filter, test server path matching), switch strings.Replace to strings.ReplaceAll, and normalize some error/log message casing. These changes are minor refactors across handlers, services, database and tests to improve lint compliance and readability.
Introduce services/traefik_urls.go to centralize Traefik URL helpers and add opt-in fallback probing via TRAEFIK_API_FALLBACK_URLS. defaultTraefikURL now prefers TRAEFIK_API_URL before falling back to http://traefik:8080. main.go only auto-discovers the Traefik API when TRAEFIK_API_URL is empty and TRAEFIK_API_DISCOVER=true. Service fetchers were refactored to use fallbackTraefikURLsFromEnv (and return an error if no fallbacks are configured) and a noisy non-critical endpoint warning log was removed. These changes make fallback probing explicit and avoid silently overriding user-provided TRAEFIK_API_URL.
Bump Go versions in CI, Dockerfile and go.mod/toolchain to 1.25.x and update several module dependencies. Introduce rollbackTransaction(tx, context) and replace direct tx.Rollback() calls (including panic recovery) across handlers to centralize rollback logging/handling. Replace direct json.Unmarshal/Scan calls in tests with mustUnmarshalResponse/mustScan helpers. Add TrustedProxies to ServerConfig and configure Gin with SetTrustedProxies. Misc: adjust final Docker image (Alpine version and healthcheck command) and minor logging/formatting cleanups.
Add robust error checks and helpers, improve transaction safety, and refine default templates handling.
- Add api/handlers/test_helpers_test.go with mustUnmarshalResponse and mustScan helpers and update many handler tests to use them or to check json.Unmarshal errors to fail fast.
- Replace direct DB Scan calls in tests with mustScan or explicit error checks to surface query failures.
- Improve transaction rollback handling across codepaths (config handlers, database migrations, transaction utils, CertGenerator) to log rollback errors and avoid silent failures.
- Make WithTransaction/WithTimeoutTransaction/BatchTransaction formatting consistent and add panic-safe rollback logging.
- In main, log a warning instead of ignoring EnsureDefaultDataSources errors.
- Add/cleanup various helper blank assignments and small refactors in services (config_proxy, config_generator) and switch tests to shared response writers (writeJSONResponse/writeResponseBody) where applicable.
- Large cleanup and enhancements in config/defaults.go to preserve string formatting for YAML templates, ensure special fields are quoted/preserved, and tidy whitespace/formatting.
These changes improve test reliability, make DB/tx failures more visible, and ensure default template YAML preserves important string values.
Add support for a Traefik-only active data source by implementing buildStandaloneTraefikConfig and branching GetMergedConfig to avoid Pangolin network calls when active source is TraefikAPI. Refactor TraefikFetcher: centralize full-data loading, singleflight usage, caching, rate-limit helpers, fallback URL logic, and resource construction. Fix ServiceWatcher row handling by deferring rows.Close and checking rows.Err. Update many tests: un-skip and expand coverage for ConfigProxy (Traefik/Pangolin/unknown), TraefikFetcher (singleflight, endpoints, error cases), PluginFetcher, ResourceWatcher and ServiceWatcher; add test helpers (JSON writers, counting test server, model data source builder), adapt DB test inserts to new schema fields, and switch boolean flags to atomic as needed. Misc: tidy JSON handling and expected behaviors (e.g. plugin fetch returns empty on upstream error).
Introduce a standalone Traefik Manager mode and SPA: new internal/traefikmanager package (config, helpers, files, settings, runtime, handlers, server, types) with tests and supporting testdata; add a new React/TypeScript SPA under traefik-ui/ (components, pages, build config, tests). Update build & packaging: modify Dockerfile to build the traefik-ui app and include it in the final image, add new Makefile targets for building/running both UIs and modes, and add a traefik-manager service to docker-compose (with MODE env). Add runtime config loading and README docs for the new MODE, plus .gitignore entries for traefik-ui artifacts. Small updates to main.go and added traefik_mode.go.
An "incorrect password" error is received when importing the generated Client .p12 mTLS certificate on iOS.
My understanding is this is frequently caused by incompatible encryption methods between modern certificate generation tools (like OpenSSL 3.x and in this case SSLMate’s go-pkcs12 Modern) and iOS’s older security standards.
The relevant portion of code is below:
// Generate PKCS#12 (.p12) file
p12Data, err := pkcs12.Modern.Encode(clientKey, clientCert, []*x509.Certificate{caCert}, req.P12Password)
if err != nil {
return nil, fmt.Errorf("failed to generate PKCS#12: %w", err)
}
If this is changed to:
// Generate PKCS#12 (.p12) file
p12Data, err := pkcs12.Legacy.Encode(clientKey, clientCert, []*x509.Certificate{caCert}, req.P12Password)
if err != nil {
return nil, fmt.Errorf("failed to generate PKCS#12: %w", err)
}
The generated client certificates can be imported by iOS devices.
I have forked the repo and tested it (it works) but would not advocate this change. An option to select legacy (only when required) would be preferable. Unfortunately the changes to the database where certs and keys are stored and the UI to make Legacy selectable are beyond me.
44a80ab152
Co-Authored-By: gerthomas <34512947+gerthomas@users.noreply.github.com>
add safety across services: whitelist tables for DeleteInTransaction to prevent dynamic-SQL deletion abuse; remove a deprecated UpdateInTransaction helper. centralize HTTP client creation (HTTPClientWithTimeout/GetHTTPClient) and replace ad-hoc http.Clients with it; limit response body reads with io.LimitReader to avoid unbounded memory use; add better error logging when JSON marshal fails. Improve ConfigProxy cache handling to fetch outside locks, return stale cache on fetch errors, and only lock to swap the cache; add locking to SetCacheDuration and cap error body reads. convert ResourceWatcher isRunning to atomic.Bool for safe concurrent start/stop. Replace sync.Map memoization in id_normalizer with a bounded map protected by RWMutex (maxCacheSize), add cache flush behavior and tests/benchmarks to validate boundedness and hits. Miscellaneous test updates to match new behavior.
add a legacy_p12 boolean to CreateClientRequest (backend model and frontend type) to support generating PKCS#12 files with legacy encryption for iOS/older device compatibility. CertGenerator now selects pkcs12.Legacy when legacy_p12 is true (defaults to Modern otherwise). UI: add a checkbox to the client cert creation dialog and initialize form state to include legacy_p12.
Add an 'Inspiration' section to README.md crediting @AstralDestiny for inspiring the api shim, with a short appreciation note.
Co-Authored-By: AstralDestiny <20157872+astraldestiny@users.noreply.github.com>
Key middleware entries in generated and proxied Traefik configs by middleware name (so chain references by name work) instead of by ID. Join middleware names in resource queries and scan them (with fallback to ID when name is not available), add Name fields to middleware structs, and use the extracted base name when building final middleware references. Also update log messages to include both name and ID. In the UI, enforce and auto-sanitize middleware names to lowercase a-z0-9- and hyphens only.
Refine PluginCard UI: show 'Installed (Error)' when an installed plugin has an error, change the 'not_loaded/configured' state to use a secondary variant and label it 'Installed' (with Activity icon), and update the remove button from destructive to outline while applying destructive text/hover styles. These tweaks clarify installed states and make the removal action visually less aggressive while preserving disable/tooltip behavior.
Add extensive unit tests across the codebase (api/errors, cache, many models tests, util/id_normalizer and others) to improve coverage and validate behavior. Replace ServiceWatcher.isRunning bool with atomic.Bool for safer concurrent access, update Start/Stop logic and related imports, and adjust service_watcher_test accordingly. Also update traefik_fetcher_test to use atomic counters for request counting and add minor import changes (sync/atomic).
Visual and structural refresh across the UI: adjust spacing and paddings, update theme tokens, and simplify several components for a cleaner look and interaction.
Highlights:
- App.tsx: increased main vertical padding (py-8).
- EmptyState: switched to muted translucent background and larger padding.
- Header: refined nav button styles (hover/opacity), added primary icon color, tighter spacing, replaced Button with native button, added active underline indicator and improved text styles.
- Dashboard: spacing tweaks (space-y changes), replaced Globe icon for TCP Routes with Network, updated stat descriptions and colors, moved New Middleware button inline, removed the old Quick Actions card grid and cleaned up tabs content spacing.
- StatCard: refactored layout (removed trend), added color prop with icon color mapping, updated typography and hover/border effects.
- ui/card: adjusted card border/shadow for dark mode and reduced CardTitle size.
- ui/table: tightened header/cell sizing and updated header styling to uppercase/tracking.
- globals.css: overhauled light/dark CSS color variables (hue/saturation/lightness values) and adjusted scrollbar thumb opacity.
These changes aim to unify the visual language, improve spacing and responsiveness, and simplify card/stat presentation for better clarity and interactivity.
Remove hardcoded plugin version in SecurityHub and prefer the plugin catalogue's recommended/latest version when available. Updated mtlsStore to import pluginApi, fetch the catalogue in checkPlugin, and set pluginStatus.version and recommended_version (fallbacks: installed -> recommended -> empty/default). Added MTLS_PLUGIN_MODULE constant and resilient error handling for catalogue fetch. Also added recommended_version to PluginCheckResponse type and updated UI snippets/badge to show installed or recommended version.
Introduce support for Traefik-native external middlewares referenced by resources.
- Database: add resource_external_middlewares table in migrations and ensure creation in post-migration updates.
- API: add handlers and routes to assign, remove and list external middlewares; include external_middlewares field in GetResources/GetResource responses (comma-separated name:priority:provider entries). Handlers validate resource status, use transactions, and log errors.
- Services: ConfigProxy now loads external middleware refs, merges them with internal middlewares sorted by priority when building resource config.
- UI: Resource detail component, API client, store and types updated to expose listing, assigning and removing external middlewares with UI controls and confirmation modal.
- Tests: add unit tests for assign/remove/list handlers and inclusion on GetResource.
This enables referencing middlewares defined outside MW-manager (e.g., Traefik dynamic config or plugins) and honors priority/provider metadata.
Refactored test files to use more idiomatic struct initialization and helper functions, reducing boilerplate and improving clarity. Added t.Skip calls to tests that are outdated or pending updates, and updated assertions in traefik_fetcher_test.go to use new method names. These changes improve maintainability and prepare the codebase for upcoming changes in fetcher and watcher behaviors.
Update TestDataSourceConnection to support requests with an empty body by loading the existing data source config if available. Returns 404 if the data source is not found, otherwise proceeds as before.